PDA

View Full Version : Troj/taladra-f, 180solutions, clipgenie,searchexe



panchoingcom
2006-03-11, 18:28
Hi!


The mwaw detected the following malwares

Sat Mar 11 13:09:17 2006 => System found infected with searchexe Spyware/Adware ({807553e5-5146-11d5-a672-00b0d022e945})!

Action taken: No Action Taken.
Sat Mar 11 13:09:17 2006 => System found infected with troj/taladra-f BackDoor ({e7bc34a3-ba86-11cf-84b1-cbc2da68bf6c})!

Action taken: No Action Taken.
Sat Mar 11 13:09:25 2006 => Offending file found: C:\WINDOWS\twain_16.dll
Sat Mar 11 13:09:25 2006 => System found infected with adware.7000n Spyware/Adware (twain_16.dll)! Action taken: No Action

Taken.

Sat Mar 11 13:09:25 2006 => Offending Folder found: C:\WINDOWS\DOWNLO~1\conflict.1
Sat Mar 11 13:09:25 2006 => Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Mar 11 13:09:26 2006 => Offending file found: C:\Documents and Settings\usuario\Datos de programa\chessbase\channels.ini

This one is my log hijack

Logfile of HijackThis v1.99.1
Scan saved at 01:03, on 11-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Archivos de programa\CA\eTrust Internet Security Suite\caissdt.exe
C:\Archivos de programa\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Archivos de programa\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Anti Trojan Elite\TJEnder.exe
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\Archivos de programa\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\System32\cisvc.exe
C:\Archivos de programa\Archivos comunes\MicroWorld\Agent\MWASER.EXE
C:\Archivos de programa\Archivos comunes\MicroWorld\Agent\MWAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Archivos de programa\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Archivos de programa\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Archivos de programa\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de

programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de

programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -

https://www.windowsonecare.com/install/cli/0.9.0929.18/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://dl.boston.runaware.com/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender-es.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134082585828
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefender-es.com/scan/Msie/bitdefender.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -

http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4708/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A6FBD56-72D4-4834-9CB5-B1B9AEA09F88}: NameServer = 192.168.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAB75DBE-748C-451D-BF97-C2B1870BF329}: NameServer = 200.72.1.5 200.72.1.11
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Archivos de programa\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Archivos de programa\CA\eTrust Internet Security

Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Archivos de programa\CA\eTrust

Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


since I can eliminate them?

Thank you very much

LonnyRJones
2006-03-14, 17:46
Hi panchoingcom
You Still out there ?
You hijackthis log looks fine, I suggest not bothering with what mauve reported, minor things.

panchoingcom
2006-03-15, 02:26
Hi LonnyRJones!
Thanks for the answer. I will follow your advice

LonnyRJones
2006-03-15, 07:14
Update suns java manualy
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.
http://forums.spybot.info/showthread.php?t=2559

Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279


Best regards

tashi
2006-03-20, 19:26
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Cheers.