Fusion Dan
2006-04-21, 18:25
Have i been successful in removing spyware?
I have run Smitrem, Spybot S&D and Ewido.
I then ran Activescan, and HijackThis. They both appear to have found stuff on my computer, here are the logs:
Incident Status Location
Adware:adware/securityerror Not disinfected C:\WINNT\SYSTEM32\dxole32.exe
Potentially unwanted tool:application/spywarequake Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\5VJB518E\shellscript[1]_js.vir
Adware:Adware/NetPals Not disinfected C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\9WWR5HS5\b0ba34a[1].cab[ATPartners.inf]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dan.FUSION\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dan.FUSION\Desktop\smitRem.exe[Process.exe]
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc124.txt
Spyware:Cookie/MediaTickets Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc159.txt
Spyware:Cookie/Com.com Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc16.txt
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc170.txt
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc18.txt
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc196.txt
Spyware:Cookie/TeensForCash Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc235.txt
Spyware:Cookie/Uproar Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc24.txt
Spyware:Cookie/Tickle Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc241.txt
Spyware:Cookie/Toplist Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc244.txt
Spyware:Cookie/Xiti Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc386.txt
Spyware:Cookie/Xmts Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc387.txt
Spyware:Cookie/bravenetA Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc54.txt
Spyware:Cookie/Cgi-bin Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc67.txt
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc93.txt
Virus:Trj/Agent.BWT Disinfected C:\WINNT\system32\dxole32.exe
-----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:35:21, on 21/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINNT\system32\hpD1AE.tmp (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
Have I successfully removed the spyware, or should i attempt something further?
Cheers
Dan
I have run Smitrem, Spybot S&D and Ewido.
I then ran Activescan, and HijackThis. They both appear to have found stuff on my computer, here are the logs:
Incident Status Location
Adware:adware/securityerror Not disinfected C:\WINNT\SYSTEM32\dxole32.exe
Potentially unwanted tool:application/spywarequake Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\5VJB518E\shellscript[1]_js.vir
Adware:Adware/NetPals Not disinfected C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\9WWR5HS5\b0ba34a[1].cab[ATPartners.inf]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dan.FUSION\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dan.FUSION\Desktop\smitRem.exe[Process.exe]
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc124.txt
Spyware:Cookie/MediaTickets Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc159.txt
Spyware:Cookie/Com.com Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc16.txt
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc170.txt
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc18.txt
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc196.txt
Spyware:Cookie/TeensForCash Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc235.txt
Spyware:Cookie/Uproar Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc24.txt
Spyware:Cookie/Tickle Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc241.txt
Spyware:Cookie/Toplist Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc244.txt
Spyware:Cookie/Xiti Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc386.txt
Spyware:Cookie/Xmts Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc387.txt
Spyware:Cookie/bravenetA Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc54.txt
Spyware:Cookie/Cgi-bin Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc67.txt
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\S-1-5-21-1939357980-3118742769-1301622575-1140\Dc93.txt
Virus:Trj/Agent.BWT Disinfected C:\WINNT\system32\dxole32.exe
-----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:35:21, on 21/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINNT\system32\hpD1AE.tmp (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
Have I successfully removed the spyware, or should i attempt something further?
Cheers
Dan