1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan SwfDL

Discussion in 'Virus & Other Malware Removal' started by UBnice2me, Jun 22, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    I am having difficulty removing Trojan SwfDL.A from my temporary internet files. I am using Windows XP sp2. I have read several of the other posts and have run ATF and CleanUp40 with no success, even from the safe mode. I have attempted to go to the control panel, under internet options, and delete all temporary files including offline files, but that did not work. I am going to run a hijack this and post it after typing this.
     
  2. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    Here is my Hijack This log.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:07:12 PM, on 6/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
    C:\progra~1\softwin\bitdef~1\bdnagent.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\lotus\organize\easyclip.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender9\vsserv.exe
    c:\progra~1\softwin\bitdef~1\bdmcon.exe
    C:\hijackthis\HijackThis.exe
    C:\progra~1\softwin\bitdef~1\bdnews.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/scrapen8.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
    O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
    O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [RegDoctor] C:\Program Files\RegDoctor\RegDoctor.exe -Quick
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Subscribe to... - \feedscript.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133082041592
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135393219166
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi and welcome :)

    * Click here to download the trial version of Ewido Security Suite.

    · Install Ewido.
    · Run the application
    · Click on Scanner
    · Click Complete System Scan and the scan will begin
    · When the scan is finished, set all items to delete
    · Apply all actions
    · Look at the bottom of the screen and click the Save Report button
    · Save the report to your C: Drive

    Reboot.

    Post a new Hijack This log and the results of the Ewido scan.
     
  4. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    Thanks for the quick response!

    Here are the results of the scan, and both were deleted.

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 6:45:46 PM 6/22/2006

    + Scan result:



    :mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2xqoieel.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2xqoieel.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.


    ::Report end

    And here is the recent HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:52:13 PM, on 6/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
    C:\progra~1\softwin\bitdef~1\bdnagent.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\lotus\organize\easyclip.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
    C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender9\vsserv.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/scrapen8.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
    O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
    O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [RegDoctor] C:\Program Files\RegDoctor\RegDoctor.exe -Quick
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Subscribe to... - \feedscript.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133082041592
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135393219166
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  6. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    Thanks again. I ran ActiveScan, and it reported the following:

    Incident Status Location

    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2xqoieel.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2xqoieel.default\cookies.txt[.atdmt.com/]


    Please Note that the trojan is being detected by Bitdefender

    Thanks again for your quick response.
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download ATF Cleaner by Atribune and save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
      • If you use Firefox:
        • Click Firefox at the top and choose: Select All
        • Click the Empty Selected button.
        • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      • If you use Opera:
        • Click Opera at the top and choose: Select All
        • Click the Empty Selected button.



          [*]NOTE:
          If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.

    Let me know if BitDefender still detects it afterwards.
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Ah, I see you already ran ATF Cleaner?

    Can I have the full path of the infected file found?
     
  9. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    I ran ATF using your instructions, and it did not work that way either.

    Here are the Bitdefender results.


    //-----------------------------------------------------------------
    //
    // Product: BitDefender 9 Professional Plus
    // Version: 9.5
    //
    // Created on: 23/06/2006 14:23:10
    //
    //-----------------------------------------------------------------


    Statistics

    Scan path : C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files
    Folders : 13
    Files : 208
    Archives : 10
    Packed files : 1
    Identified viruses : 1
    Infected files : 6
    Warnings : 0
    Suspect files : 0
    Disinfected files : 0
    Deleted files : 6
    Copied files : 0
    Moved files : 0
    Renamed files : 0
    I/O errors : 0
    Scan time : 00:00:52
    Scan speed (files/sec) : 4

    Spyware Statistics

    Memory processes scanned : 21
    Memory processes infected : 0
    Registry keys scanned : 902
    Registry keys infected : 0
    Cookies scanned : 0
    Cookies infected : 0
    Spyware files infected : 0
    Spyware threats detected : 0


    Virus definitions : 415299
    Scan plugins : 15
    Archive plugins : 42
    Unpack plugins : 5
    Mail plugins : 6
    System plugins : 5

    Scan options

    Detection
    [X] Scan boot sectors
    [X] Scan archives
    [X] Scan packed files
    [X] Scan email

    File mask
    [ ] Programs
    [X] All files
    [ ] User defined extensions:
    [ ] Exclude extensions: ;

    Action

    Infected objects
    [ ] Ignore
    [X] Disinfect
    [ ] Delete
    [ ] Copy to quarantine
    [ ] Move to quarantine
    [ ] Rename
    [ ] Prompt user

    Second action
    [ ] Ignore
    [X] Delete
    [ ] Copy to quarantine
    [ ] Move to quarantine
    [ ] Rename
    [ ] Prompt user

    Scan options
    [X] Enable warnings
    [X] Enable heuristics
    [ ] Show all files in log
    [X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1151090590.log

    Spyware scan options

    [X] Memory Processes
    [X] Registry keys
    [X] Cookies


    Summary:

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6RU9C3WT\sp2-cydoor-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6RU9C3WT\sp2-cydoor-728[1].swf=>[SWF command] Disinfection failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6RU9C3WT\sp2-cydoor-728[1].swf=>[SWF command] Deleted
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6RU9C3WT\sp2-cydoor-728[1].swf Update failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8T634D6Z\sp2-cydoor-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8T634D6Z\sp2-cydoor-728[1].swf=>[SWF command] Disinfection failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8T634D6Z\sp2-cydoor-728[1].swf=>[SWF command] Deleted
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8T634D6Z\sp2-cydoor-728[1].swf Update failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SKNXDG5\sp2-cydoor-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SKNXDG5\sp2-cydoor-728[1].swf=>[SWF command] Disinfection failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SKNXDG5\sp2-cydoor-728[1].swf=>[SWF command] Deleted
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SKNXDG5\sp2-cydoor-728[1].swf Update failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M99Y32LS\sp2-cydoor-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M99Y32LS\sp2-cydoor-728[1].swf=>[SWF command] Disinfection failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M99Y32LS\sp2-cydoor-728[1].swf=>[SWF command] Deleted
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M99Y32LS\sp2-cydoor-728[1].swf Update failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YZ09EF\sp2-cydoor-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YZ09EF\sp2-cydoor-728[1].swf=>[SWF command] Disinfection failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YZ09EF\sp2-cydoor-728[1].swf=>[SWF command] Deleted
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YZ09EF\sp2-cydoor-728[1].swf Update failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTUJQBW3\sp2-cydoor-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTUJQBW3\sp2-cydoor-728[1].swf=>[SWF command] Disinfection failed
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTUJQBW3\sp2-cydoor-728[1].swf=>[SWF command] Deleted
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTUJQBW3\sp2-cydoor-728[1].swf Update failed

    Thanks again for your help.
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download Webroot SpySweeper.

    (It's a 2 week trial.)

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.

    Also post a new Hijack This log.
     
  11. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    I ran the Webroot SpySweeper and my computer crashed and self-recovered from a serious error. The Microsoft error report blamed the bitdefender firewall, so I removed Bitdefender and installed AVAST. I ran the avast boot scan, and it only detected a single infected file in the windows system, saying it was the CTX virus (I hope it is a false positive). I told AVAST to ignore the file, because it could not repair it and it was a windows file. I am now rerunning Webroot SpySweeper. and will post results shortly.

    You must have the patience of a saint to do this job!

    Thanks again,

    Darryl
     
  12. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    The following is the Webroot SpySweeper log:
    ********
    7:52 PM: | Start of Session, Friday, June 23, 2006 |
    7:52 PM: Spy Sweeper started
    7:52 PM: Sweep initiated using definitions version 706
    7:52 PM: Starting Memory Sweep
    7:57 PM: Memory Sweep Complete, Elapsed Time: 00:04:55
    7:57 PM: Starting Registry Sweep
    7:57 PM: Registry Sweep Complete, Elapsed Time:00:00:15
    7:57 PM: Starting Cookie Sweep
    7:57 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    7:57 PM: Starting File Sweep
    8:32 PM: Found System Monitor: potentially rootkit-masked files
    8:32 PM: g20060409_1917.trf (ID = 0)
    8:32 PM: g20060417_1740.trf (ID = 0)
    8:32 PM: g20060429_0134.trf (ID = 0)
    8:32 PM: g20060422_1609.trf (ID = 0)
    8:34 PM: Warning: Invalid Stream
    8:35 PM: Warning: Unhandled Archive Type
    8:42 PM: File Sweep Complete, Elapsed Time: 00:45:00
    8:42 PM: Full Sweep has completed. Elapsed time 00:50:15
    8:42 PM: Traces Found: 4
    9:01 PM: Removal process initiated
    9:01 PM: Quarantining All Traces: potentially rootkit-masked files
    9:01 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
    9:01 PM: g20060409_1917.trf is in use. It will be removed on reboot.
    9:01 PM: g20060417_1740.trf is in use. It will be removed on reboot.
    9:01 PM: g20060429_0134.trf is in use. It will be removed on reboot.
    9:01 PM: g20060422_1609.trf is in use. It will be removed on reboot.
    9:03 PM: Preparing to restart your computer. Please wait...
    9:03 PM: Removal process completed. Elapsed time 00:01:34
    9:08 PM: IE Tracking Cookies Shield is activated
    9:09 PM: Common Ad Sites Shield is activated
    ********
    6:50 PM: | Start of Session, Friday, June 23, 2006 |
    6:50 PM: Spy Sweeper started
    6:50 PM: Sweep initiated using definitions version 706
    6:50 PM: Starting Memory Sweep
    6:54 PM: Sweep Canceled
    6:54 PM: Memory Sweep Complete, Elapsed Time: 00:03:00
    6:54 PM: Traces Found: 0
    7:48 PM: Processing Startup Alerts
    7:48 PM: Allowed Startup entry: avast!
    7:52 PM: | End of Session, Friday, June 23, 2006 |
    ********
    5:50 PM: | Start of Session, Friday, June 23, 2006 |
    5:50 PM: Spy Sweeper started
    5:50 PM: Sweep initiated using definitions version 706
    5:50 PM: Starting Memory Sweep
    5:55 PM: Memory Sweep Complete, Elapsed Time: 00:05:25
    5:55 PM: Starting Registry Sweep
    5:55 PM: Registry Sweep Complete, Elapsed Time:00:00:15
    5:55 PM: Starting Cookie Sweep
    5:55 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    5:55 PM: Starting File Sweep
    6:43 PM: Found System Monitor: potentially rootkit-masked files
    6:43 PM: g20060409_1917.trf (ID = 0)
    6:43 PM: g20060417_1740.trf (ID = 0)
    6:43 PM: g20060429_0134.trf (ID = 0)
    6:43 PM: g20060422_1609.trf (ID = 0)
    ********
    5:48 PM: | Start of Session, Friday, June 23, 2006 |
    5:48 PM: Spy Sweeper started
    5:48 PM: Your spyware definitions have been updated.
    5:50 PM: | End of Session, Friday, June 23, 2006 |

    And here is the latest HTL:
    Logfile of HijackThis v1.99.1
    Scan saved at 10:06:23 PM, on 6/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\lotus\organize\easyclip.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Azureus\Azureus.exe
    C:\WINDOWS\system32\ping.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/scrapen8.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [RegDoctor] C:\Program Files\RegDoctor\RegDoctor.exe -Quick
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Subscribe to... - \feedscript.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133082041592
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135393219166
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

    Thanks again
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    No problem ;) Are those detections still found in Temporary Internet Files?
     
  14. UBnice2me

    UBnice2me Thread Starter

    Joined:
    Jun 22, 2006
    Messages:
    8
    I finally was able to remove the trojan by running CCleaner while in the safe mode.

    Thanks for helping me.
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You're welcome :)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer.

    Turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/477499

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice