Help - Search - Members - Calendar
Full Version: Am I Free?
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Aarontrio
Apr 5 2006, 06:36 AM
I had SpyQuake and it sucked, found some 6 pages of instructions on how to remove it and clean up. It was successfully removed. Here are the logs of all the scans:



Used Ewido[/size][size=5]

+ Created on: 12:27:25 AM, 4/5/2006
+ Report-Checksum: B8C10ED0

+ Scan result:

C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup


::Report End

Used Activescan[size=5]

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron\Cookies\aaron@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Aaron\Cookies\aaron@questionmarket[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron\Cookies\aaron@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Aaron\Cookies\aaron@questionmarket[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Aaron\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Aaron\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Aaron\Desktop\Unused Desktop Shortcuts\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Aaron\Desktop\Unused Desktop Shortcuts\smitRem.exe[Process.exe]
Dialer:Dialer.BEW Not disinfected C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\G96JGDA7\connect[1][Content]
Used HijackThis[size=5]

Logfile of HijackThis v1.99.1
Scan saved at 1:09:27 AM, on 4/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\Aaron\Desktop\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Aaron\Desktop\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Aaron\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\MESSEN~1\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\MESSEN~1\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142412590171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Aaron\Desktop\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Aaron\Desktop\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm1


Yeah I don't really know what all that means but everything seems okay i just have a bunch of folders on my desktop now... Can I delete all these folders now (ewido, roguescanfix, smitrem) or should I keep one handy? Am I free? Safe? Do I have sork to do still? The instructions note: "If you had one of the following closely related variants of desktop hijack please see here for removal instructions: Smitgraud Removal - Desktop type hijackers, SpyAxe, SpySheriff, Spyware Strike, etc... " I definitly had SpywareQuake. It's defenitly gone now. Email me please at Aarontrio_AT_yahoo.com if you have suggestions otherwise I guess I'm cool!

Removed email address! Spammers do lurk here to harvest them.
Bobbi Flekman
Apr 5 2006, 08:02 AM
Hi Aarontrio

From Panda I see that you also have SmitRem, did you run it? Can you post the log it made.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.


You look clean, but if I were you I would install Ewido to a "normal" place in the Program Files folder. Or uninstall it. The rest you can delete.
Aarontrio
Apr 7 2006, 05:26 AM
Okay I ran SmitRem, it did not make a log however. I let it do it's thing which seemed like a lot of scanning and disc compression/cleaning. Did i misplace a log?
Um, I ran HijackThis, Scanned, and checked the boxes you indicated. I fixed them and restarted. I'm feeling free although something scary did happen a little bit ago - when I was trying to post this log, I opened up my browser and the web address in the address bar read something like http://red.clientapps.yahoo blah blah blah which appears to be, or at least related to, one of those boxes that I thought I checkmarked and fixed with HijackThis. Is that address (red.clinentapps.yahoo.com...) malicious or mean spirited? Is there an easy explanation?
I'm feeling free and breezy, but somewhat suspicious.
You guys are great by the way.
Bobbi Flekman
Apr 7 2006, 01:48 PM
Hi Aarontrio,

SmitRem should create a log in the root of your systemdrive (usually C) called SmitRem.txt. Red.clientapps is RedSherrif, a minor infection, but still... I would fix it if it comes back in the log.
Aarontrio
Apr 8 2006, 10:55 PM
I cannot find smitrem.txt... hmm... is it important enough to try the scan again? and is red.clientapps.yahoo thingie easy to delete and or should i? How minor is minor?
Thanks friend.
Bobbi Flekman
Apr 9 2006, 08:28 AM
Hi Aarontrio,

QUOTE
I cannot find smitrem.txt... hmm... is it important enough to try the scan again? and is red.clientapps.yahoo thingie easy to delete and or should i? How minor is minor?
It's not important anymore. It is a logfile of what it cleaned. Since it is already cleaned, the log of a re-run would be useless in that it would only say "Clean!". If you follow the directions that I posted earlier (HijackThis) RedSheriff should be gone. Minor is that it is hardly a nuisance and many people have discussions as to whether it should be fixed at all.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.