I have a computer infected with a lot of malware. After several sleepness nights I was able to clean some of the mess but now I'm confused...
Spyware Doctor still finds these:
Backdoor.CXH
Trojan Polymorph
When Spyware doctor deletes them I get a Spybot window "... has detected an important registry that has been changed.
Category: Winlogon Notifiers
CHange: Value deleted
Entry: artm_newreg
Allow Change is highlighted
I allow it
Category: Winlogon Notifiers
Change: Value deleted
Entry: polymorphreg
Allow Change is highlighted
I allow it
I do a reboot and get again the Spybot window "... has detected an important registry that has been changed.
Category: System Startup user entry
CHange Value Deleted
Entry: Shell
Old Data: C:\ProgramFiles\Common Files\Microsof S - I can't see more
Allow Change Deny Cange
I allow it
I do another reboot and get again the Spybot window "... has detected an important registry that has been changed.
Category: System Startup user entry
CHange Value Deleted
Entry: Shell
Old Data: C:\ProgramFiles\Common Files\Microsof S - I can't see more
Allow Change Deny Cange
I allow it
do another spyware doctor to find both malware back again ...
Lost in confusion - please help
Many thanks
Bob
I have a computer infected with a lot of malware.
Hello.
Please see our 'sticky' topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)
Spybot SD is up to date and finds a clean system both runing in Safe Mode and in Windows
all the following checks have been made with Teatimer disabled:
Mcafee: No viruses
Fsecure on-line:
Scanning Report
Monday, July 03, 2006 02:44:52 - 13:10:42
Computer name: SABRE20
Scanning type: Scan target for viruses, rootkits, spyware
Target: C:\
Result: 3 malware found
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Downloader.Win32.Obfuscated.n (virus)
C:\Documents and Settings\Sabre\Local Settings\Application Data\e1cb5eeb.exe (Renamed & Submitted)
C:\WINDOWS\system32\e1cb5eeb.exe (Renamed)
Statistics
Scanned:
Files: 133969
System: 3571
Not scanned: 31
Actions:
Disinfected: 1
Renamed: 2
Deleted: 0
None: 0
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\DVS_EXCL.MMF
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.MMF
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\DAV_EXCL.MMF
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\DAV_SCAN.MMF
C:\DOCUMENTS AND SETTINGS\SABRE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\SABRE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\SABRE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\Sabre\Local Settings\Temporary Internet Files\Content.IE5\0D67GD6N\ebBannerMain_60_22[1].js\ebBannerMain_60_22[1]
C:\Documents and Settings\Sabre\Local Settings\Temporary Internet Files\Content.IE5\BEWNVLSH\jetairfly[7].css\jetairfly[7]
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip\vx.tll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\winsub.xml
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip\svcp.csv
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig.zip\ibm00001.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig1.zip\$_2341233.TMP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig2.zip\$_2341234.TMP
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{4C3DA120-07AE-4B18-BDDC-DB82E663B5B2}.BIN
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_3AC.DAT
C:\WINDOWS\TEMP\ZLT04713.TMP
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-01
F-Secure Libra: 2.4.1, 2006-06-30
F-Secure Orion: 1.2.37, 2006-06-30
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-05-14
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics
Spyware Doctor:
Spyware Doctor Activity Report
Generated on 03/07/2006 16:15:07
Scans (basic information only):
Scan Results:
scan start: 03/07/2006 16:24:15
scan stop: 03/07/2006 16:31:21
scanned items: 118919
found items: 1
found and ignored: 0
tools used: General Scanner, Process Scanner, Registry Scanner, Browser Activity Scanner, Startup Scanner, LSP Scanner, Browser Scanner, Hosts Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
Common Components Unrelated C:\Documents and Settings\All Users\Documents\Settings\desktop.ini Medium
Panda Online:
Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\e1cb5eeb.0xe
Other Sections:
E-trust Online:
Finds it clean now too
and a last Spyware Doctor:
Spyware Doctor Activity Report
Generated on 03/07/2006 23:45:39
Scans (basic information only):
Scan Results:
scan start: 03/07/2006 23:56:07
scan stop: 04/07/2006 00:05:01
scanned items: 119773
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, Registry Scanner, Browser Activity Scanner, Startup Scanner, LSP Scanner, Browser Scanner, Hosts Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
Other Sections:
So here's the HJT report:
Logfile of HijackThis v1.99.1
Scan saved at 00:19:49, on 04/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SDMan.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\sabserv.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = het Vera...
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [e1cb5eeb.exe] C:\WINDOWS\System32\e1cb5eeb.exe
O4 - HKLM\..\Run: [ÿ_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKLM\..\RunServices: [ÿ_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [e1cb5eeb.exe] C:\Documents and Settings\Sabre\Local Settings\Application Data\e1cb5eeb.exe
O4 - HKCU\..\Run: [ÿ_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Sabre Server.lnk = C:\WINDOWS\sabserv.exe
O4 - Global Startup: Sabre Printing Start.lnk = C:\Sabre\Sabstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sabretravelnetwork.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: European Printing Module (ZpmPrint) - Sabre inc. - C:\SABRE\Apps\EPM\Epm.exe
Many thanks
Bob
LonnyRJones
2006-07-08, 15:56
Hello
Your post slipped by, sorry about that, Post back with a fresh Hijackthis log please.
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.
Applies only to the original topic starter.