log - help with trojans Trojan.Briss BackDoor.Ruller Trojan.DownLoader.240

Discussion in 'adware, spyware & hijack cleaning' started by Trippin13, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. Trippin13

    Trippin13 Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    1
    Heeelp please I got few trojans tons of spyware ... it just happened through a popup that opened on one of the discussion sites on the net and I can't remove these trojans .. I got spybot s&d 1.2 removed things. used avg to remove all i could (would not remove all files), got tojan hunter wasn't dettecting all bits stop-sign did dettect but I don't have full version to remove. Anyway here is the hijack log so if someone can help cheeers (it's on xp )

    Logfile of HijackThis v1.97.7
    Scan saved at 11:08:41 AM, on 30/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
    D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    D:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\rundll32.exe
    D:\Program Files\E-Color\Common\IconMgr.exe
    D:\Program Files\SpywareGuard\sgmain.exe
    D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    D:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
    D:\Program Files\SpywareGuard\sgbhp.exe
    D:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHT~1\eanthtutor.exe
    C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
    C:\WINDOWS\explorer.exe
    D:\Program Files\Trillian Pro2\trillian.exe
    C:\PROGRA~1\INTERN~1\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\hijackthis1977\HijackThis.exe
    C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
    C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\fnakic\Application Data\Mozilla\Profiles\default\irrl8ad8.slt\prefs.js)
    O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lsfyb] C:\WINDOWS\lsfyb.exe
    O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [tglopun] C:\WINDOWS\tglopun.exe
    O4 - HKLM\..\Run: [dojujsl] C:\WINDOWS\dojujsl.exe
    O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\DOCUME~1\fnakic\LOCALS~1\Temp\EANTH_~1.EXE /Startup
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: E-Color.lnk = D:\Program Files\E-Color\Common\IconMgr.exe
    O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Decompiler - D:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
    O9 - Extra button: Taming the Beast.net SMS Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Taming the Beast.net SMS Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: SWFDecompiler (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
    O9 - Extra button: Taming the Beast.net SMS Messenger (HKCU)
    O9 - Extra 'Tools' menuitem: Taming the Beast.net SMS Messenger (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zgm.local
    O17 - HKLM\Software\..\Telephony: DomainName = zgm.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zgm.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zgm.local
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Trippin13,

    I'm glad you didn't decide to buy StopSign. It is spyware itself.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lsfyb] C:\WINDOWS\lsfyb.exe

    O4 - HKLM\..\Run: [tglopun] C:\WINDOWS\tglopun.exe
    O4 - HKLM\..\Run: [dojujsl] C:\WINDOWS\dojujsl.exe
    O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\DOCUME~1\fnakic\LOCALS~1\Temp\EANTH_~1.EXE /Startup

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    C:\Program Files\ACCELERATION SOFTWARE <= entire folder
    C:\Program Files\TV Media <= entire folder
    C:\Program Files\COMMON FILES\EACCELERATION <= entire folder
    C:\WINDOWS\bxxs5.dll

    Then run HijackThis again and post a new log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.