Spyware assistance needed - HijackThis Log {Solved}
Hello! My laptop is infected by spyware/trojans that couldn't be disinfected/deleted. I followed the steps as adviced by Trogan_1000 'Read Hear First Before Posting a HijackThis Log!', but haven't installed anti-virus software for time being because it clashes with my work intergration software. I also unable to fully scan the laptop using Panda ActiveScan because of the constant inteference from the redirection of its website to somewhere else.
I would really appreciate it if someone could help me out as at lost of what to do. I enclosed HijackThis Log, Spyware Doctor Log and BitDefender Log.
Thanks in advance!
Mei
Logfile of HijackThis v1.99.1
Scan saved at 6:35:18 PM, on 9/24/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\bmwebcfg.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\system32\WLTRAY.exe
C:\Program Files\Generic\USB Card Reader Driver v2.3b\FlashIcon.exe
C:\WINNT\system32\perzum.exe
C:\program files\popupwithcast\septpop06apsept.exe
C:\WINNT\zbidgycA.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sierra Wireless Inc\AirCard 800 Series\Watcher.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,lnproda.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3b\FlashIcon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\perzum.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xzxd2627] RUNDLL32.EXE w0179618.dll,n 004d2623000000020179618
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [ms078362-213910] C:\WINNT\ms078362-213910.exe
O4 - HKLM\..\Run: [zbidgycA] C:\WINNT\zbidgycA.exe
O4 - HKLM\..\Run: [Cingular Communication Manager] C:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\oqdsregr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: drtw3a - drtw3a.dll (file missing)
O20 - Winlogon Notify: emul65 - C:\WINNT\SYSTEM32\emul65.dll
O20 - Winlogon Notify: NetCache - C:\WINNT\
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINNT\system32\3339_32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINNT\system32\bmwebcfg.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe
Spyware Doctor Activity Report
Generated on 9/24/2006 6:30:10 PM Spyware Doctor Homepage PC Tools
Scans (basic information only):
Scan Results:
scan start: 9/24/2006 6:31:07 PM
scan stop: 9/24/2006 6:33:54 PM
scanned items: 42216
found items: 6
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
MediaMotor : media-motor.net High
Trojan.Dropper.Agent.HL : mmohsix.com Elevated
Trojan.Downloader.Small.CDJ C:\WINNT\system32\t1t.exe High
Common Components for Trojans HKLM\SOFTWARE\System\sysold Medium
Common Components for Trojans HKLM\SOFTWARE\System\sysold## Medium
Common Components for Trojans HKLM\SOFTWARE\System\sysold##ms078362-213910.exe Medium
BitDefender Online Scanner
Scan report generated at: Sun, Sep 24, 2006 - 18:19:32
Scan path: C:\;D:\;
Scanned File
Status
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)=>septpop06apsept.exe
Suspected of: Generic.Malware.SYd.A0178C37
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)=>septpop06apsept.exe
Disinfection failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)=>septpop06apsept.exe
Deleted
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)
Update failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2024.tmp
Infected with: Trojan.Lowzones.CZ
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2024.tmp
Disinfection failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2024.tmp
Deleted
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2948.tmp
Infected with: Trojan.Clicker.VB.IS
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2948.tmp
Disinfection failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2948.tmp
Deleted
C:\Program Files\popupwithcast\septpop06apsept.exe
Suspected of: Generic.Malware.SYd.A0178C37
C:\Program Files\popupwithcast\septpop06apsept.exe
Disinfection failed
C:\Program Files\popupwithcast\septpop06apsept.exe
Delete failed
C:\WINNT\ac3_0002.exe
Infected with: Trojan.Downloader.Small.BCN
C:\WINNT\ac3_0002.exe
Disinfection failed
C:\WINNT\ac3_0002.exe
Deleted
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)=>septpop06apsept.exe
Suspected of: Generic.Malware.SYd.A0178C37
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)=>septpop06apsept.exe
Disinfection failed
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)=>septpop06apsept.exe
Deleted
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)
Update failed
C:\WINNT\srvhbgtssw.exe=>(NSIS o)=>lzma_nsis0001
Infected with: Trojan.Clicker.VB.FN
C:\WINNT\srvhbgtssw.exe=>(NSIS o)=>lzma_nsis0001
Disinfection failed
C:\WINNT\srvhbgtssw.exe=>(NSIS o)=>lzma_nsis0001
Deleted
C:\WINNT\srvhbgtssw.exe=>(NSIS o)
Update failed
C:\WINNT\system32\3339_32.dll
Infected with: DeepScan:Generic.Malware.SMw.C237746C
C:\WINNT\system32\3339_32.dll
Disinfection failed
C:\WINNT\system32\3339_32.dll
Delete failed
C:\WINNT\system32\cbxusro.dll
Infected with: Trojan.Agent.VX
C:\WINNT\system32\cbxusro.dll
Disinfection failed
C:\WINNT\system32\cbxusro.dll
Deleted
C:\WINNT\system32\drivers\etc\hosts.20060924-160217.backup
Infected with: Generic.Qhost.78CD5A48
C:\WINNT\system32\drivers\etc\hosts.20060924-160217.backup
Disinfection failed
C:\WINNT\system32\drivers\etc\hosts.20060924-160217.backup
Deleted
C:\WINNT\system32\ismini.exe
Suspected of: Trojan.Zlob.BY
C:\WINNT\system32\ismini.exe
Disinfection failed
C:\WINNT\system32\ismini.exe
Deleted
C:\WINNT\system32\perzum.exe
Infected with: Generic.Malware.SYd!dld.18FB451A
C:\WINNT\system32\perzum.exe
Disinfection failed
C:\WINNT\system32\perzum.exe
Delete failed
C:\WINNT\Temp\ASHeuristic\emul65_dll.vir
Infected with: DeepScan:Generic.PWStealer.851FDDC4
C:\WINNT\Temp\ASHeuristic\emul65_dll.vir
Disinfection failed
C:\WINNT\Temp\ASHeuristic\emul65_dll.vir
Deleted
C:\WINNT\Temp\ASHeuristic\perzum_exe.vir
Infected with: Generic.Malware.SYd!dld.18FB451A
C:\WINNT\Temp\ASHeuristic\perzum_exe.vir
Disinfection failed
C:\WINNT\Temp\ASHeuristic\perzum_exe.vir
Deleted
C:\WINNT\zbidgycA.exe
Infected with: Trojan.Popper.A
C:\WINNT\zbidgycA.exe
Disinfection failed
C:\WINNT\zbidgycA.exe
Delete failed
I would really appreciate it if someone could help me out as at lost of what to do. I enclosed HijackThis Log, Spyware Doctor Log and BitDefender Log.
Thanks in advance!
Mei
Logfile of HijackThis v1.99.1
Scan saved at 6:35:18 PM, on 9/24/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\bmwebcfg.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\system32\WLTRAY.exe
C:\Program Files\Generic\USB Card Reader Driver v2.3b\FlashIcon.exe
C:\WINNT\system32\perzum.exe
C:\program files\popupwithcast\septpop06apsept.exe
C:\WINNT\zbidgycA.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sierra Wireless Inc\AirCard 800 Series\Watcher.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,lnproda.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3b\FlashIcon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\perzum.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xzxd2627] RUNDLL32.EXE w0179618.dll,n 004d2623000000020179618
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [ms078362-213910] C:\WINNT\ms078362-213910.exe
O4 - HKLM\..\Run: [zbidgycA] C:\WINNT\zbidgycA.exe
O4 - HKLM\..\Run: [Cingular Communication Manager] C:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\oqdsregr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: drtw3a - drtw3a.dll (file missing)
O20 - Winlogon Notify: emul65 - C:\WINNT\SYSTEM32\emul65.dll
O20 - Winlogon Notify: NetCache - C:\WINNT\
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINNT\system32\3339_32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINNT\system32\bmwebcfg.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe
Spyware Doctor Activity Report
Generated on 9/24/2006 6:30:10 PM Spyware Doctor Homepage PC Tools
Scans (basic information only):
Scan Results:
scan start: 9/24/2006 6:31:07 PM
scan stop: 9/24/2006 6:33:54 PM
scanned items: 42216
found items: 6
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
MediaMotor : media-motor.net High
Trojan.Dropper.Agent.HL : mmohsix.com Elevated
Trojan.Downloader.Small.CDJ C:\WINNT\system32\t1t.exe High
Common Components for Trojans HKLM\SOFTWARE\System\sysold Medium
Common Components for Trojans HKLM\SOFTWARE\System\sysold## Medium
Common Components for Trojans HKLM\SOFTWARE\System\sysold##ms078362-213910.exe Medium
BitDefender Online Scanner
Scan report generated at: Sun, Sep 24, 2006 - 18:19:32
Scan path: C:\;D:\;
Scanned File
Status
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)=>septpop06apsept.exe
Suspected of: Generic.Malware.SYd.A0178C37
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)=>septpop06apsept.exe
Disinfection failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)=>septpop06apsept.exe
Deleted
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\1996.tmp=>(RAR Sfx o)
Update failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2024.tmp
Infected with: Trojan.Lowzones.CZ
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2024.tmp
Disinfection failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2024.tmp
Deleted
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2948.tmp
Infected with: Trojan.Clicker.VB.IS
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2948.tmp
Disinfection failed
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\2948.tmp
Deleted
C:\Program Files\popupwithcast\septpop06apsept.exe
Suspected of: Generic.Malware.SYd.A0178C37
C:\Program Files\popupwithcast\septpop06apsept.exe
Disinfection failed
C:\Program Files\popupwithcast\septpop06apsept.exe
Delete failed
C:\WINNT\ac3_0002.exe
Infected with: Trojan.Downloader.Small.BCN
C:\WINNT\ac3_0002.exe
Disinfection failed
C:\WINNT\ac3_0002.exe
Deleted
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)=>septpop06apsept.exe
Suspected of: Generic.Malware.SYd.A0178C37
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)=>septpop06apsept.exe
Disinfection failed
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)=>septpop06apsept.exe
Deleted
C:\WINNT\popupwithcast.exe=>(RAR Sfx o)
Update failed
C:\WINNT\srvhbgtssw.exe=>(NSIS o)=>lzma_nsis0001
Infected with: Trojan.Clicker.VB.FN
C:\WINNT\srvhbgtssw.exe=>(NSIS o)=>lzma_nsis0001
Disinfection failed
C:\WINNT\srvhbgtssw.exe=>(NSIS o)=>lzma_nsis0001
Deleted
C:\WINNT\srvhbgtssw.exe=>(NSIS o)
Update failed
C:\WINNT\system32\3339_32.dll
Infected with: DeepScan:Generic.Malware.SMw.C237746C
C:\WINNT\system32\3339_32.dll
Disinfection failed
C:\WINNT\system32\3339_32.dll
Delete failed
C:\WINNT\system32\cbxusro.dll
Infected with: Trojan.Agent.VX
C:\WINNT\system32\cbxusro.dll
Disinfection failed
C:\WINNT\system32\cbxusro.dll
Deleted
C:\WINNT\system32\drivers\etc\hosts.20060924-160217.backup
Infected with: Generic.Qhost.78CD5A48
C:\WINNT\system32\drivers\etc\hosts.20060924-160217.backup
Disinfection failed
C:\WINNT\system32\drivers\etc\hosts.20060924-160217.backup
Deleted
C:\WINNT\system32\ismini.exe
Suspected of: Trojan.Zlob.BY
C:\WINNT\system32\ismini.exe
Disinfection failed
C:\WINNT\system32\ismini.exe
Deleted
C:\WINNT\system32\perzum.exe
Infected with: Generic.Malware.SYd!dld.18FB451A
C:\WINNT\system32\perzum.exe
Disinfection failed
C:\WINNT\system32\perzum.exe
Delete failed
C:\WINNT\Temp\ASHeuristic\emul65_dll.vir
Infected with: DeepScan:Generic.PWStealer.851FDDC4
C:\WINNT\Temp\ASHeuristic\emul65_dll.vir
Disinfection failed
C:\WINNT\Temp\ASHeuristic\emul65_dll.vir
Deleted
C:\WINNT\Temp\ASHeuristic\perzum_exe.vir
Infected with: Generic.Malware.SYd!dld.18FB451A
C:\WINNT\Temp\ASHeuristic\perzum_exe.vir
Disinfection failed
C:\WINNT\Temp\ASHeuristic\perzum_exe.vir
Deleted
C:\WINNT\zbidgycA.exe
Infected with: Trojan.Popper.A
C:\WINNT\zbidgycA.exe
Disinfection failed
C:\WINNT\zbidgycA.exe
Delete failed
0
This discussion has been closed.
Comments
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need to run ewido and update the definition files.
- On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close ewido anti-spyware and reboot your computer into Safe Mode.IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Also, I keep getting these errors whenever I turn on the laptop -
1. Ggees329 - Run-time error '35756'...
2. Problem with ShortCut - TA_Start.Ink...
3. RUNDLL - error loading w019618.dll...
Googled for solutions or dicussions but couldn't find anything on them, which is rather funny.
KASPERSKY ONLINE SCANNER REPORT
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\cust\Application Data\Sierra Wireless\SwiApi\SwiApiLog_5.txt Object is locked skipped
C:\Documents and Settings\cust\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\cust\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cust\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cust\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cust\Local Settings\History\History.IE5\MSHist012006092520060926\index.dat Object is locked skipped
C:\Documents and Settings\cust\Local Settings\Temp\qddfpvot.dll Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\3352.tmp Infected: Trojan-Spy.Win32.VBStat.e skipped
C:\Documents and Settings\cust\Local Settings\Temporary Internet Files\Content.IE5\4A3RCB68\licence[1].php Object is locked skipped
C:\Documents and Settings\cust\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cust\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\cust\ntuser.dat.LOG Object is locked skipped
C:\WINNT\AdvPack.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\3339_32.dll Infected: Trojan.Win32.Agent.pk skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
PANDA ACTIVESCAN ONLINE REPORT
Incident Status Location
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\cust\Local Settings\Temp\qddfpvot.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\cust\Local Settings\Temp\W01083060Z\3352.tmp
Adware:Adware/IconAds Not disinfected C:\Documents and Settings\cust\Local Settings\Temp\~nsu.tmp\Au_.exe
Virus:Trj/PayClicker.EC Not disinfected C:\WINNT\Eim03.exe[²íÇ]
Adware:Adware/TopMoxie Not disinfected C:\WINNT\popupwithcast.exe[Cast.dll]
Adware:Adware/DigInk Not disinfected C:\WINNT\srvhbgtssw.exe[Gck26.exe]
Adware:Adware/DigInk Not disinfected C:\WINNT\srvhbgtssw.exe[TagASaurus.exe]
Spyware:Spyware/7r7t Not disinfected C:\WINNT\srvtvxzxui.exe
SPYWARE DOCTOR REPORT
Infection Name Location Risk
Known Bad Sites C:\Documents and Settings\cust\Local Settings\Temporary Internet Files\Content.IE5\EBOTOMFH\19-default_1x1[1].gif High
Common Components for Trojans HKLM\SOFTWARE\System\sysold Medium
Common Components for Trojans HKLM\SOFTWARE\System\sysold## Medium
Common Components for Trojans HKLM\SOFTWARE\System\sysold##ms078362-213910.exe Medium
Thanks so much for all the help!