Hijackthis (to analyse your system and submit a log file to expert forums): http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Forums for help and analysis of your Hijackthis logfile:
You have everything but the kitchen sink loaded up for malware protection...just kidding. I prefer a few different programs. But the more pressing matter is a Winsock hijacking that needs to be fixed. There are a bunch of performance tweaks that will also help, but we need to get rid of the baddies first.
Reboot. Delete all temporary files (Use Disk Cleanup...type cleanmgr at Start/Run. clean all the junk.)
Uninstall Grisoft's AV and reboot. You need a good single realtime protector and I suspect it may be giving false positives on the exploit or possibly sees it as the winsock hijackers. Norton is fine...keep it updated.
Next...Download and install: (Get updates for each program after installing and running the first time). Run Spybot first.
With all other windows closed except for Hijackthis select Fix checked.
Reboot. Run a new Hijackthis log and copy and paste it here. There are a couple other minor things and some performance tweaks I will suggest.
HTH,
Texruss
Hijackthis (to analyse your system and submit a log file to expert forums): http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Forums for help and analysis of your Hijackthis logfile:
I have downloaded the Ispfix tool and read the text document. I do not know how to proceed with the Ispfix tool - it shows:-
Keep Remove
mswsock.dll Tcpid
winrnr.dll NTDS THIS AREA IS BLANK
Proxy.dll (Protocol handler)
rsvpsp.dll ( " " )
Please tell me what to do, step by step. I haven't had any Internet connection problems but assume you saw something in the log that I posted, that I don't understand!! I will proceed with your other instructions once I know how to use Ispfix.
phew...thanks Chris - but why did Texruss ask me do do that? should I do the other things he suggested, such as uninstall AVG? I only use Spamfighter with Outlook Express, I usually run AOL and it isn't confirgured there (don't know if it is compatible or how to configure it if it is!!)
I did run Disk Cleanup and scanned with Adaware and then Spybot, rebooted scanned with HijackThis (attached). Will all this help with the Trojan?
Thanks, you guys are great....aryeh
Logfile of HijackThis v1.97.7 Scan saved at 13:42:01, on 12/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Texruss is in training, not an expert yet, but is progressing very well. Your item is not often seen, most of these 010 lines that we see are malware. He needs to gain knowledge of those, and I have provided a link for him giving details of good and bad ones. Unfortunately until special cases turn up it is hard to show them all.
I am currently reviewing all that he advises, but there can be a time lag, as he is the US and I am in the UK. ============================== Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
It is possable to have two AV's on one system, BUT very difficault. I would not advise that it be done except for experts. I use the AVG7 and find good, others report it is able to co-exist with some other AV's - BUT Norton and McAfee are the hardest to combine with.
I would suggest you uninstall the last one installed. If that is the one you would wish to keep, then uninstall the other before installing the pefered one. Do this offline from the net if possible.
Mainly because I made a mistake with this fairly rare entry in a Hijackthis log. *;-) The tutorial from the Hijackthis author mentions that specific entry area and says it's best to fix these using LSPFix from Cexx.org or Spybot S&D. I took that too much to heart and thought your entry was malware. But as the link Chris provided shows, there are good and bad entries in that area. Now I know the exceptions, malware, and unknowns so I will be more cautious. My apologies and thanks to Chris for his assistance.
As for dueling AV products in the past I have had as many as seven competing products installed at one time on my machine (mainly for magazine reviews). I never allowed more than one to be active on bootup and ran the others manually as needed. There is a chance for conflict with too much protection. Lots of AV programs to choose from and the top ones are all pretty good at what they do. But remember they all will fail against a new unknown virus until new definitions are developed. That lag period can be deadly to some users. There is only one true defense against data loss and that is timely and accurate backups of data files. Most of us are pretty slack on doing that. Just think...if your hard drive died right now, what would you lose? Something to think about.
am currently reviewing all that he advises, but there can be a time lag, as he is the US and I am in the UK.
==============================
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
I have done the above - does this mean the trojan has gone?
"Please when you post back - tell me of any problems still being found " - should I now expect any problems & where should I look?
Thanks again...aryeh
Logfile of HijackThis v1.97.7 Scan saved at 07:15:42, on 13/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Thank you again Chris...I will certainly take your advice and install the software programs you suggest (I already have Ad-ware/Spybot/ZoneAlarm/NortonAV). Is all this extra protection because the different programes find different things & will they find trojans?
I did a scan with Panda (from your site) after I sent you my last Hijackthis log and I think it still shows that I have the trojan...what now please?
Exploit/ByteVerify No disinfected C:\Documents and Settings\Brenda Gold\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-7d1aaa7e-1f3790f2.zip[Counter.class] Exploit/ByteVerify No disinfected C:\Documents and Settings\Brenda Gold\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-7d1aaa7e-1f3790f2.zip[Gummy.class] eAlarm/NortonAV)
Texruss mentioned earlier on about some 'tweaking' of my computer - what did he mean and what should I do.
Sorry about how long this has gone on for and all the questions but I am very new to this and hate to have 'baddies' on the computer and so want to do everything that is necessary to stop it.
I am very gratefull to you for all your help....aryeh
--------Quote----- I have done the above - does this mean the trojan has gone? ------End Quote----------- Yes I think so - no sign of it in the log, however some are able to hide in other places that hijackthis does not display yet, so I always ask if any problems are still being found. ============================= This is my normal post for when you are clear - which you now are:- ------------------------ How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957 -------------- Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
Spybot S&D and Ad-aware do 'mostly' the same job. They will rid you of most of the general malware. I use both as Belt and Braces.
Spywareblaster sets the kill bits to stop installs of bad activeX - does not use any processing time or memory, I well recommend
IE-spyad - does the same as Spywareblaster but for blocking access to lots of bad sites.
All of the above only run when you tell them, update - scan once a week/month or how ever you wish.
Spywareguard and winpatrol also do similar jobs, but they do run like your Anti-virus all the time. They check for bad installs of activeX and the hijackes of home/search pages, also winpatrol will monitor the list of current starting programs and let you know if any new ones are added. They may not stop the install or be able to remove (they will try) - but they give a very early warning that someting is going on.
A firewall prevent attacks from outside your computer, and a popup stopper (google toolbar etc) will stop advert popups on websites.
So yes they all do different jobs.
Re your scan result - It is not active - it is in a zip file - that may even be a false positive. I don't use Sun Java (ya I should) so don't know for myself but you may be able to clear its 'cache' which would remove these files.
Re tweeking your system - you have a lot of programs starting up with the computer, the less you have the faster the boot, and the more memory and resources available for the programs you do run. Most of the programs you can see in your log as the 04's - are there any you don't need to start with the computer, if so you could cut them out to make your machine lean and mean.
I've installed Spywareguard & Spywareblaster but re IE-spyad, I Iooked at their help pages and it's beyond my comprehension (I've only had my computer for a few months) on how to configure - any tips please? Don't think you mentioned Winpatrol before, do I need it now I have Spywareguard?
Quote - Re your scan result - It is not active - it is in a zip file - that may even be a false positive. I don't use Sun Java (ya I should) so don't know for myself but you may be able to clear its 'cache' which would remove these files. Please, how do I do this and what is Sun Java?
Quote -Re tweeking your system - you have a lot of programs starting up with the computer, the less you have the faster the boot, and the more memory and resources available for the programs you do run. Most of the programs you can see in your log as the 04's - are there any you don't need to start with the computer, if so you could cut them out to make your machine lean and mean. I have no idea how to go about this, do you mean uninstall some of my programes (that I know how to do) but what are 04's and how do I know if they are necesarry & how do I get rid of them if they are not? I have 1GB of memory and my computer is a Dell Dimension 8300 Pentium 4 CPU 3.20GHz
Texruss
3.4K Posts
0
April 10th, 2004 14:00
Hopefully you have an AV program. Update it and follow the vendor's instructions for removal at their webpage. Here is Norton's:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
HTH,
Texruss
Texruss
3.4K Posts
0
April 10th, 2004 16:00
Are you running both AVs at the same time? It's generally not a good idea to have two automatic scanners?
Texruss
Try these tools to detect and repair malware:
Spybot Search & Destroy:
http://www.safer-networking.org
Adaware:
http://www.lavasoft.de
Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Forums for help and analysis of your Hijackthis logfile:
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.computercops.us/forums.html
http://forums.us.dell.com/supportforums
http://forums.net-integration.net
http://boards.cexx.org
http://www.wilderssecurity.com
Free AVG Antivirus for home users:
http://www.grisoft.com
Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Windows Security CD:
www.microsoft.com/security/protect/cd/order.asp
Texruss
3.4K Posts
0
April 11th, 2004 13:00
You have everything but the kitchen sink loaded up for malware protection...just kidding. I prefer a few different programs. But the more pressing matter is a Winsock hijacking that needs to be fixed. There are a bunch of performance tweaks that will also help, but we need to get rid of the baddies first.
Download the lspfix tool and run it.
http://www.cexx.org/lspfix.htm
Reboot. Delete all temporary files (Use Disk Cleanup...type cleanmgr at Start/Run. clean all the junk.)
Uninstall Grisoft's AV and reboot. You need a good single realtime protector and I suspect it may be giving false positives on the exploit or possibly sees it as the winsock hijackers. Norton is fine...keep it updated.
Next...Download and install: (Get updates for each program after installing and running the first time). Run Spybot first.
Spybot Search & Destroy:
http://www.safer-networking.org
Adaware:
http://www.lavasoft.de
Have them fix all problems.
Reboot.
Run Hijackthis again and put a checkmark by:
R3 - Default URLSearchHook is missing
With all other windows closed except for Hijackthis select Fix checked.
Reboot. Run a new Hijackthis log and copy and paste it here. There are a couple other minor things and some performance tweaks I will suggest.
HTH,
Texruss
Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Forums for help and analysis of your Hijackthis logfile:
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.computercops.us/forums.html
http://forums.us.dell.com/supportforums
http://forums.net-integration.net
http://boards.cexx.org
http://www.wilderssecurity.com
Free AVG Antivirus for home users:
http://www.grisoft.com
Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Windows Security CD:
www.microsoft.com/security/protect/cd/order.asp
ChrisRLG
3.9K Posts
0
April 11th, 2004 15:00
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
aryeh
2 Intern
•
147 Posts
0
April 12th, 2004 08:00
I have downloaded the Ispfix tool and read the text document. I do not know how to proceed with the Ispfix tool - it shows:-
Keep Remove
mswsock.dll Tcpid
winrnr.dll NTDS THIS AREA IS BLANK
Proxy.dll (Protocol handler)
rsvpsp.dll ( " " )
Please tell me what to do, step by step. I haven't had any Internet connection problems but assume you saw something in the log that I posted, that I don't understand!! I will proceed with your other instructions once I know how to use Ispfix.
Thanks for your invaluable help.....aryeh
ChrisRLG
3.9K Posts
0
April 12th, 2004 10:00
aryeh
Please DO NOT use LSPfix on that item. Please read this:-
http://www.angeltowns.com/members/zupe/lsps.html
It lists those known good and bad LSP items - your one is in the good section and is part of http://www.spamfighter.com/ that you have installed.
Please provide a new hijackthis log for me to check.
aryeh
2 Intern
•
147 Posts
0
April 12th, 2004 11:00
phew...thanks Chris - but why did Texruss ask me do do that? should I do the other things he suggested, such as uninstall AVG? I only use Spamfighter with Outlook Express, I usually run AOL and it isn't confirgured there (don't know if it is compatible or how to configure it if it is!!)
I did run Disk Cleanup and scanned with Adaware and then Spybot, rebooted scanned with HijackThis (attached). Will all this help with the Trojan?
Thanks, you guys are great....aryeh
Logfile of HijackThis v1.97.7
Scan saved at 13:42:01, on 12/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 4 Professional\Search and Recover\DiskImageService.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] "C:\Program Files\iolo\System Mechanic 4 Professional\Search and Recover\DiskImageService.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Downloads (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
ChrisRLG
3.9K Posts
0
April 12th, 2004 12:00
Texruss is in training, not an expert yet, but is progressing very well. Your item is not often seen, most of these 010 lines that we see are malware. He needs to gain knowledge of those, and I have provided a link for him giving details of good and bad ones. Unfortunately until special cases turn up it is hard to show them all.
I am currently reviewing all that he advises, but there can be a time lag, as he is the US and I am in the UK.
==============================
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
R3 - Default URLSearchHook is missing
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
-Microsoft Office (OSA9.EXE) (Optional - resource hog)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
-QuickTime Task (QTTASK.EXE) (Optional - resource hog)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
Then Reboot and post a fresh log for me to check.
Please when you post back - tell me of any problems still being found.
ChrisRLG
3.9K Posts
0
April 12th, 2004 12:00
RE duel anti-virus programs.
It is possable to have two AV's on one system, BUT very difficault. I would not advise that it be done except for experts. I use the AVG7 and find good, others report it is able to co-exist with some other AV's - BUT Norton and McAfee are the hardest to combine with.
I would suggest you uninstall the last one installed. If that is the one you would wish to keep, then uninstall the other before installing the pefered one. Do this offline from the net if possible.
Texruss
3.4K Posts
0
April 12th, 2004 13:00
>but why did Texruss ask me do do that?
Mainly because I made a mistake with this fairly rare entry in a Hijackthis log. *;-) The tutorial from the Hijackthis author mentions that specific entry area and says it's best to fix these using LSPFix from Cexx.org or Spybot S&D. I took that too much to heart and thought your entry was malware. But as the link Chris provided shows, there are good and bad entries in that area. Now I know the exceptions, malware, and unknowns so I will be more cautious. My apologies and thanks to Chris for his assistance.
As for dueling AV products in the past I have had as many as seven competing products installed at one time on my machine (mainly for magazine reviews). I never allowed more than one to be active on bootup and ran the others manually as needed. There is a chance for conflict with too much protection. Lots of AV programs to choose from and the top ones are all pretty good at what they do. But remember they all will fail against a new unknown virus until new definitions are developed. That lag period can be deadly to some users. There is only one true defense against data loss and that is timely and accurate backups of data files. Most of us are pretty slack on doing that. Just think...if your hard drive died right now, what would you lose? Something to think about.
All the best,
Texruss
aryeh
2 Intern
•
147 Posts
0
April 13th, 2004 05:00
==============================
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
R3 - Default URLSearchHook is missing
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
-Microsoft Office (OSA9.EXE) (Optional - resource hog)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
-QuickTime Task (QTTASK.EXE) (Optional - resource hog)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
Then Reboot and post a fresh log for me to check
I have done the above - does this mean the trojan has gone?
"Please when you post back - tell me of any problems still being found " - should I now expect any problems & where should I look?
Thanks again...aryeh
Logfile of HijackThis v1.97.7
Scan saved at 07:15:42, on 13/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 4 Professional\Search and Recover\DiskImageService.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] "C:\Program Files\iolo\System Mechanic 4 Professional\Search and Recover\DiskImageService.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Downloads (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\program files\spamfighter\proxy\proxy.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
aryeh
2 Intern
•
147 Posts
0
April 13th, 2004 12:00
Thank you again Chris...I will certainly take your advice and install the software programs you suggest (I already have Ad-ware/Spybot/ZoneAlarm/NortonAV). Is all this extra protection because the different programes find different things & will they find trojans?
I did a scan with Panda (from your site) after I sent you my last Hijackthis log and I think it still shows that I have the trojan...what now please?
Exploit/ByteVerify No disinfected C:\Documents and Settings\Brenda Gold\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-7d1aaa7e-1f3790f2.zip[Counter.class]
Exploit/ByteVerify No disinfected C:\Documents and Settings\Brenda Gold\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-7d1aaa7e-1f3790f2.zip[Gummy.class]
eAlarm/NortonAV)
Texruss mentioned earlier on about some 'tweaking' of my computer - what did he mean and what should I do.
Sorry about how long this has gone on for and all the questions but I am very new to this and hate to have 'baddies' on the computer and so want to do everything that is necessary to stop it.
I am very gratefull to you for all your help....aryeh
ChrisRLG
3.9K Posts
0
April 13th, 2004 12:00
--------Quote-----
I have done the above - does this mean the trojan has gone?
------End Quote-----------
Yes I think so - no sign of it in the log, however some are able to hide in other places that hijackthis does not display yet, so I always ask if any problems are still being found.
=============================
This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
ChrisRLG
3.9K Posts
0
April 13th, 2004 13:00
First the list of programs to have.
Spybot S&D and Ad-aware do 'mostly' the same job. They will rid you of most of the general malware. I use both as Belt and Braces.
Spywareblaster sets the kill bits to stop installs of bad activeX - does not use any processing time or memory, I well recommend
IE-spyad - does the same as Spywareblaster but for blocking access to lots of bad sites.
All of the above only run when you tell them, update - scan once a week/month or how ever you wish.
Spywareguard and winpatrol also do similar jobs, but they do run like your Anti-virus all the time. They check for bad installs of activeX and the hijackes of home/search pages, also winpatrol will monitor the list of current starting programs and let you know if any new ones are added. They may not stop the install or be able to remove (they will try) - but they give a very early warning that someting is going on.
A firewall prevent attacks from outside your computer, and a popup stopper (google toolbar etc) will stop advert popups on websites.
So yes they all do different jobs.
Re your scan result - It is not active - it is in a zip file - that may even be a false positive. I don't use Sun Java (ya I should) so don't know for myself but you may be able to clear its 'cache' which would remove these files.
Re tweeking your system - you have a lot of programs starting up with the computer, the less you have the faster the boot, and the more memory and resources available for the programs you do run. Most of the programs you can see in your log as the 04's - are there any you don't need to start with the computer, if so you could cut them out to make your machine lean and mean.
aryeh
2 Intern
•
147 Posts
0
April 13th, 2004 14:00
I've installed Spywareguard & Spywareblaster but re IE-spyad, I Iooked at their help pages and it's beyond my comprehension (I've only had my computer for a few months) on how to configure - any tips please? Don't think you mentioned Winpatrol before, do I need it now I have Spywareguard?
Quote - Re your scan result - It is not active - it is in a zip file - that may even be a false positive. I don't use Sun Java (ya I should) so don't know for myself but you may be able to clear its 'cache' which would remove these files. Please, how do I do this and what is Sun Java?
Quote -Re tweeking your system - you have a lot of programs starting up with the computer, the less you have the faster the boot, and the more memory and resources available for the programs you do run. Most of the programs you can see in your log as the 04's - are there any you don't need to start with the computer, if so you could cut them out to make your machine lean and mean. I have no idea how to go about this, do you mean uninstall some of my programes (that I know how to do) but what are 04's and how do I know if they are necesarry & how do I get rid of them if they are not? I have 1GB of memory and my computer is a Dell Dimension 8300 Pentium 4 CPU 3.20GHz