Solved: got a trojan/spyware, please help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Mikael

Thread Starter
Joined
Jul 10, 2006
Messages
2
Hello.

I've been reading here for a some days, and decided to register because although others here seem to have had similar problems like me, they were a bit different so wasn't sure what to do.

Some days ago I discovered that I had trojans on my computer. At that time I had an outdated version of Norton Internet Security 2005 (definitions etc. was up-to-date atleast). According to Norton their names were trojan.zlob and trojan.nebuler.
Image of what it didn't manage to remove:
http://img88.imageshack.us/img88/7591/trojannebuler5ec.jpg

I also noticed small programs had been installed without me knowing it, for example one called 'Cowabanga by OIN', which I removed once or twice. (it's still in the registry however)

Internet Explorer got hijacked, popping up ads and when I tried to enter Windows Update I got this: http://img136.imageshack.us/img136/1051/fakemaybe8fu.jpg
I have been using Mozilla Firefox for some time, haven't noticed anything there.

The programs I have now are CWShredder, Ad-Aware SE Personal, Spybot - Search & Destroy, Ewido anti-spyware, X-cleaner and Panda Platinum 2006 Internet Security (trialware).
I also have Spyware Doctor and Xoftspy, these seem to find the most infected files, but both are trialware and I can only scan, I can't remove the stuff. :(
Here's what Spyware Doctor found yesterday:
http://img134.imageshack.us/img134/1581/trojanskvar6md.jpg

Xoftspy found a bunch of stuff called WinPCap or something. Got no screenshot of that.

All the programs I listed tends to only find tracking cookies or nothing at all. It's mostly just Spyware Doctor that seems 'see' them. Oh and I also tried Trend Micro's online scanner, first time it did found 1 weird thing (something with big letters that started with ADW, don't remember), but since then, nothing.

I don't really have anything important on the computer, but I did order some movies on the net the other week, so I got this spooky feeling that some of these files could record the keys or find out about my bank account somehow. :eek:
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi, Welcome to TSG!!

Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

Mikael

Thread Starter
Joined
Jul 10, 2006
Messages
2
Woaw, down to fourth page already. :)
Anyway, I decided to "give up" and so I did the second best thing I could do, I have no Windows XP disc with this computer (Dell) so I had to use something called PC Restore, which resets the computer to the state it was when I bought it.
According to Dell Support this would take care of everything.

But I'm still a bit paranoid so I did a hijackthis scan anyway, here's the log.
The log didn't get very big, but I haven't installed much at all yet.

And if it now is safe, can you give any do's and dont's so I'll be a bit safer in the future?
I would like to shop online without having to be afraid of something getting my visa-card info or bank account. :(

Logfile of HijackThis v1.99.1
Scan saved at 10:14:14, on 2006-07-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\Dell\Media Experience\DMXLauncher.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\Program\Java\jre1.5.0_07\bin\jusched.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program\GreenBorder\gbChgMon.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
You have to be very careful when using your credit card! I'm sure you know that ;)

I hope these links will help you out! Surf safe! :)

Good free tools and advice on how to tighten your security settings.
Click here

Security Help Tools
Click here
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top