Results 1 to 3 of 3

Thread: proxy.small.ct infection

  1. #1
    Junior Member
    Join Date
    Apr 2007
    Posts
    2

    Default proxy.small.ct infection

    Hi

    I have a problem where my system starts emailing hundreds of emails and my symantec tries to scan them and often fails with the result of dozens of symantec error messages. I have run ewido online scan which finds proxy.small.ck in memory, it will remove it but it is immediatly reloaded. In addition S&D finds win32.small.dp and nat which again can be cleared but reload after reboot (i'm not sure whether the two things are related).

    I have run smitfraud, backlight, and spydoctor in an attempt to fix the prob but these report everything is ok.

    Below is the hjt log if this can give any clues.

    One other point if the system is in safe mode with networking non of the problems exist and the ewido online scan doesn't find the prob

    Thanks in advance

    Tricky006

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)

    Sorry didn't read all instructions properly here's the hjt log using the correct version. I have included logs from spydoctor which I have installed on the machine and panda which I ran online, but other online work is hard as the system will start the spamming email so the panda scan didn't finish (I have already been blacklisted on spamcop and don't want things to get any worse). Ewido online finds proxy.small.ct in memory which when removed reloads, and S&D finds win32.small.ct again which reloads after a reboot.

    Thanks again in advance

    Tricky006

    Logfile of HijackThis v1.99.1
    Scan saved at 12:13:59, on 13/04/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Citrix\GoToMeeting\190\g2mstart.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\ACT\SideACT.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Citrix\GoToMeeting\190\g2mcomm.exe
    C:\Program Files\Citrix\GoToMeeting\190\g2mlauncher.exe
    C:\HiJack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...suk&channel=uk
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
    O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\190\g2mstart.exe "/Trigger RunAtLogon"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
    O9 - Extra button: SIM Card Manager - {5F2F8F24-DA89-4DD2-AFB3-F516D4CD6558} - C:\Program Files\emobile\SIM Card Manager.exe
    O9 - Extra 'Tools' menuitem: SIM Card Manager - {5F2F8F24-DA89-4DD2-AFB3-F516D4CD6558} - C:\Program Files\emobile\SIM Card Manager.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1155475029954
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VisionHouseSoftwareLTD.local
    O17 - HKLM\Software\..\Telephony: DomainName = VisionHouseSoftwareLTD.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VisionHouseSoftwareLTD.local
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: SQL Server (ACT7) (MSSQL$ACT7) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7 (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


    Spyware Doctor

    12/04/2007 09:45:48:399 Infection was detected on this computer
    Threat Name - Common Components Unrelated
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_USERS\S-1-5-21-3573651297-1390627186-2834926795-1140\Software\Microsoft\Internet Explorer\Desktop, id

    Note: at the location in the registry the is an entry host which has a value 69.46.19.47 (If this is relevent)

    Panda
    Incident Status Location

    Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Administrator.VISIONHOUSESOFT\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\channels_02[1].gif
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and settings\TonyHales\Desktop\SmitfraudFix\Process.exe
    Virus:Trj/Shutdown.Z
    Last edited by tashi; 2007-04-25 at 21:09. Reason: Two posts merged for zero response

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,913

    Default

    Hello and sorry for the wait.

    If you have not resolved the problem, we have this sticky topic:

    If you have waited four days for advice post here.
    Microsoft MVP. Consumer Security 2006-2014


  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,913

    Default

    This topic has been archived.

    If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
    Microsoft MVP. Consumer Security 2006-2014


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •