A Challenge - lots of trojans and more

Started by Skittles, November 28, 2005, 02:00:14 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Skittles

#15
December 22, 2005, 08:05:46 PM
Well I am going to assume that this laptop is clear.

Altho I am concerned of the fact that I have not been online with this laptop since I last posted in this topic, and yet I got an auto warning that popped up from AVG saying that it found a virus.  grrr I thought we were clean.  At least it fixed it.

And I also got Blacklight form F Secure, to try and locate that stinkin WinFixer, to no avail.  It found nothing. grrr

So I am hoping that we got it all.  Altho I have a feeling it is still in there somewhere.

But the person who owns this computer is going to need the pc back now.  He was able to let me have it for this long since he works at a college and can use their pcs there, but it is the holiday break so they are home now.  So I need to wrap this up very very soon.

I just ran Ewido,and that was all clear too.

Skittles

#16
December 22, 2005, 09:07:58 PM
Grrrr DieHard I still have a lil bit of that WeirdOnTheWeb left somewhere....grrr

Found it during the panda scan.

Here is the log

                                                                                                                                                                                                                                                       

Adware:adware/weirdontheweb
       
Not desinfected

Windows Registry                                                                                                                                                                                                                                     

Skittles

#17
December 22, 2005, 09:11:01 PM
Logfile of HijackThis v1.99.1
Scan saved at 22:11:50, on 2005-12-22
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program\Compaq\EASYAC~1\BttnServ.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\HJT do not use without help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://c:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Die Hard

#18
December 22, 2005, 10:01:11 PM
skittlespc :)

It seems to be a detail in the registry, I would think it will cause no problems. It will be one of many orphaned entries there.

*If* you want to remove it, open the registry editor and in the toolbar click "Edit>Search" and search for "weirdontheweb". When you find one, delete it. Then click F3 to make a search for the next key/value.

As always, make a backup before you do any changes in the registry

Regards

Die Hard :)
I create and edit my posts in GS-NOTES

Skittles

#19
December 23, 2005, 04:08:23 PM
Thanks!

I think that I will go ahead and leave it as is.  It is no longer showing up on the scans I have on the pc.  Only Panda picked it up.  I will just monitor it after they have it for awhile and see if they start to get signs of it causing more problems.

I talked to the owner of this laptop and he admitted to downloading the SurfSide.  He got one of those popups that say something is wrong with your computer so download this to fix it.  And he belived it so he downloaded it.  I will educate him further into what is okay to download and update and what is not.

I am glad that I ran the full test scan at pcpitstop, cuz I just realized that the internet cache settings were set for 1.  Not that it was a huge difference but it is usually recommended to keep it between 10 and 100.

And I hope that WinFixer will no longer be an issue.  I do see is still listed in the Startup List when I run msconfig, but I have them disabled so it should be okay.

Now I am on to going thru the list of startups on msconfig at castlecops to see what things I can disable.

Thanks again!

Skittles
Print
Go Up Pages 1 2
User actions