log - help with trojans Trojan.Briss BackDoor.Ruller Trojan.DownLoader.240

Discussion in 'adware, spyware & hijack cleaning' started by Trippin13, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. Trippin13

    Trippin13 Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    1
    Heeelp please I got few trojans tons of spyware ... it just happened through a popup that opened on one of the discussion sites on the net and I can't remove these trojans .. I got spybot s&d 1.2 removed things. used avg to remove all i could (would not remove all files), got tojan hunter wasn't dettecting all bits stop-sign did dettect but I don't have full version to remove. Anyway here is the hijack log so if someone can help cheeers (it's on xp )

    Logfile of HijackThis v1.97.7
    Scan saved at 11:08:41 AM, on 30/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
    D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    D:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\rundll32.exe
    D:\Program Files\E-Color\Common\IconMgr.exe
    D:\Program Files\SpywareGuard\sgmain.exe
    D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    D:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
    D:\Program Files\SpywareGuard\sgbhp.exe
    D:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHT~1\eanthtutor.exe
    C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
    C:\WINDOWS\explorer.exe
    D:\Program Files\Trillian Pro2\trillian.exe
    C:\PROGRA~1\INTERN~1\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\hijackthis1977\HijackThis.exe
    C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
    C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\fnakic\Application Data\Mozilla\Profiles\default\irrl8ad8.slt\prefs.js)
    O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lsfyb] C:\WINDOWS\lsfyb.exe
    O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [tglopun] C:\WINDOWS\tglopun.exe
    O4 - HKLM\..\Run: [dojujsl] C:\WINDOWS\dojujsl.exe
    O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\DOCUME~1\fnakic\LOCALS~1\Temp\EANTH_~1.EXE /Startup
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: E-Color.lnk = D:\Program Files\E-Color\Common\IconMgr.exe
    O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Decompiler - D:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
    O9 - Extra button: Taming the Beast.net SMS Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Taming the Beast.net SMS Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: SWFDecompiler (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
    O9 - Extra button: Taming the Beast.net SMS Messenger (HKCU)
    O9 - Extra 'Tools' menuitem: Taming the Beast.net SMS Messenger (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zgm.local
    O17 - HKLM\Software\..\Telephony: DomainName = zgm.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zgm.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zgm.local
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Trippin13,

    I'm glad you didn't decide to buy StopSign. It is spyware itself.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lsfyb] C:\WINDOWS\lsfyb.exe

    O4 - HKLM\..\Run: [tglopun] C:\WINDOWS\tglopun.exe
    O4 - HKLM\..\Run: [dojujsl] C:\WINDOWS\dojujsl.exe
    O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\DOCUME~1\fnakic\LOCALS~1\Temp\EANTH_~1.EXE /Startup

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    C:\Program Files\ACCELERATION SOFTWARE <= entire folder
    C:\Program Files\TV Media <= entire folder
    C:\Program Files\COMMON FILES\EACCELERATION <= entire folder
    C:\WINDOWS\bxxs5.dll

    Then run HijackThis again and post a new log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.