1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: got a trojan/spyware, please help

Discussion in 'Virus & Other Malware Removal' started by Mikael, Jul 10, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Mikael

    Mikael Thread Starter

    Joined:
    Jul 10, 2006
    Messages:
    2
    Hello.

    I've been reading here for a some days, and decided to register because although others here seem to have had similar problems like me, they were a bit different so wasn't sure what to do.

    Some days ago I discovered that I had trojans on my computer. At that time I had an outdated version of Norton Internet Security 2005 (definitions etc. was up-to-date atleast). According to Norton their names were trojan.zlob and trojan.nebuler.
    Image of what it didn't manage to remove:
    http://img88.imageshack.us/img88/7591/trojannebuler5ec.jpg

    I also noticed small programs had been installed without me knowing it, for example one called 'Cowabanga by OIN', which I removed once or twice. (it's still in the registry however)

    Internet Explorer got hijacked, popping up ads and when I tried to enter Windows Update I got this: http://img136.imageshack.us/img136/1051/fakemaybe8fu.jpg
    I have been using Mozilla Firefox for some time, haven't noticed anything there.

    The programs I have now are CWShredder, Ad-Aware SE Personal, Spybot - Search & Destroy, Ewido anti-spyware, X-cleaner and Panda Platinum 2006 Internet Security (trialware).
    I also have Spyware Doctor and Xoftspy, these seem to find the most infected files, but both are trialware and I can only scan, I can't remove the stuff. :(
    Here's what Spyware Doctor found yesterday:
    http://img134.imageshack.us/img134/1581/trojanskvar6md.jpg

    Xoftspy found a bunch of stuff called WinPCap or something. Got no screenshot of that.

    All the programs I listed tends to only find tracking cookies or nothing at all. It's mostly just Spyware Doctor that seems 'see' them. Oh and I also tried Trend Micro's online scanner, first time it did found 1 weird thing (something with big letters that started with ADW, don't remember), but since then, nothing.

    I don't really have anything important on the computer, but I did order some movies on the net the other week, so I got this spooky feeling that some of these files could record the keys or find out about my bank account somehow. :eek:
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    Click here to download HJTsetup.exe
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. Mikael

    Mikael Thread Starter

    Joined:
    Jul 10, 2006
    Messages:
    2
    Woaw, down to fourth page already. :)
    Anyway, I decided to "give up" and so I did the second best thing I could do, I have no Windows XP disc with this computer (Dell) so I had to use something called PC Restore, which resets the computer to the state it was when I bought it.
    According to Dell Support this would take care of everything.

    But I'm still a bit paranoid so I did a hijackthis scan anyway, here's the log.
    The log didn't get very big, but I haven't installed much at all yet.

    And if it now is safe, can you give any do's and dont's so I'll be a bit safer in the future?
    I would like to shop online without having to be afraid of something getting my visa-card info or bank account. :(

    Logfile of HijackThis v1.99.1
    Scan saved at 10:14:14, on 2006-07-11
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Delade filer\Symantec Shared\ccProxy.exe
    C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
    C:\Program\Norton Internet Security\ISSVC.exe
    C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
    C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program\Dell\Media Experience\DMXLauncher.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
    C:\Program\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program\GreenBorder\gbChgMon.exe
    C:\Program\ATI Technologies\ATI.ACE\cli.exe
    C:\Program\ATI Technologies\ATI.ACE\cli.exe
    C:\Program\Mozilla Firefox\firefox.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You have to be very careful when using your credit card! I'm sure you know that ;)

    I hope these links will help you out! Surf safe! :)

    Good free tools and advice on how to tighten your security settings.
    Click here

    Security Help Tools
    Click here
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/481944

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice