|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
03-03-2008, 07:29 AM
|
#21 (permalink) |
|
Registered User
Join Date: Feb 2008
Posts: 11
OS: windows xp
|
Re: help - how to get rid of trojan-downloader.win32.small.htb?
ok.
updated the java. zone alarm scanned the system finding pretty harmless spywares and deleted them. system looks fine, i haven't connected it to the net yet. |
|
     |
|
03-03-2008, 10:24 AM
|
#22 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: help - how to get rid of trojan-downloader.win32.small.htb?
Please re-connect to the internet and surf around a bit. Then, please run a new scan with dss.exe and post the main.txt here for final review.
|
|
|
|
|
03-05-2008, 05:09 AM
|
#23 (permalink) |
|
Registered User
Join Date: Feb 2008
Posts: 11
OS: windows xp
|
Re: help - how to get rid of trojan-downloader.win32.small.htb?
here it is the dss's main log:
Deckard's System Scanner v20071014.68 Run by aga on 2008-03-05 13:05:57 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 0.16 GiB (less than 15%) free. -- HijackThis (run as aga.exe) ------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13.06.26, on 05/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe C:\Programmi\Java\jre1.6.0_04\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RioMSC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Programmi\Mozilla Firefox\firefox.exe C:\Programmi\MSN Messenger\msnmsgr.exe C:\Programmi\MSN Messenger\usnsvc.exe C:\Programmi\Skype\Phone\Skype.exe C:\Programmi\Skype\Plugin Manager\SkypePM.exe C:\Programmi\ACD Systems\ACDSee\6.0\ACDSee6.exe C:\Programmi\File comuni\ACD Systems\DBLocalServer.exe C:\Documents and Settings\aga\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\aga.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...34/mcfscan.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL O23 - Service: RIO Mass Storage C (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5372 bytes -- Files created between 2008-02-05 and 2008-03-05 ----------------------------- 2008-03-03 15:05:52 0 d-------- C:\Programmi\Java 2008-03-03 15:05:44 0 d-------- C:\Programmi\File comuni\Java 2008-02-25 19:40:01 0 --a------ C:\WINDOWS\system32\cnpsdk1603txt 2008-02-20 11:49:33 0 --a------ C:\WINDOWS\system32\cnpsdk53587txt 2008-02-16 10:07:10 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-02-13 16:18:46 260272 --a------ C:\cmldr 2008-02-13 16:18:34 0 d-------- C:\cmdcons 2008-02-13 16:09:59 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec> 2008-02-08 21:12:59 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-02-08 21:12:59 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-02-08 21:12:59 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-02-08 21:12:59 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-02-08 18:14:13 0 d-------- C:\Programmi\Trend Micro -- Find3M Report --------------------------------------------------------------- 2008-03-05 12:48:35 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Skype 2008-03-05 02:26:17 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80271102}.dat 2008-03-05 02:26:17 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80271102}.dat 2008-03-03 15:05:44 0 d-------- C:\Programmi\File comuni 2008-02-25 16:52:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-02-20 11:49:51 13301 --a------ C:\WINDOWS\system32\productregistry 2008-02-20 11:48:55 0 d-------- C:\Programmi\eMule 2008-02-04 16:51:21 425432 --a------ C:\WINDOWS\system32\perfh010.dat 2008-02-04 16:51:21 63180 --a------ C:\WINDOWS\system32\perfc010.dat 2008-02-04 16  56 7907 --a------ C:\WINDOWS\mozver.dat2008-02-04 02:13:36 0 d-------- C:\Programmi\iolo 2008-02-03 20:59:42 2243260 --ah----- C:\WINDOWS\system32\spython.bin 2008-02-03 17:55:03 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\iolo 2008-02-03 17:27:44 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Azureus 2008-02-03 01:31:23 0 d-------- C:\Programmi\Soulseek 2008-02-01 15:25:10 512 --a------ C:\ScanSectorLog.dat 2008-01-29 00:53:44 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\dvdcss 2008-01-29 00:53:29 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\BSplayer Pro 2008-01-28 17:14:07 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\VoipBuster 2008-01-17 03:29:29 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Adobe 2008-01-16 04:29:12 0 d-------- C:\Programmi\File comuni\Adobe 2008-01-16 04:21:06 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\AdobeUM 2008-01-07 14:53:07 0 d-------- C:\Programmi\Azureus -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HTpatch"="C:\WINDOWS\htpatch.exe" [30/10/2002 10.40] "WINDVDPatch"="CTHELPER.EXE" [02/07/2002 17.56 C:\WINDOWS\system32\CTHELPER.EXE] "ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16.05] "SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_04\bin\jusched.exe" [14/12/2007 03.42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 23.39] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] C:\Programmi\ICQLite\ICQLite.exe -minimize [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer] "C:\Programmi\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Programmi\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "ImapiService"=3 (0x3) -- End of Deckard's System Scanner: finished at 2008-03-05 13:08:30 ------------ |
|
|
|
|
03-05-2008, 05:55 AM
|
#24 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: help - how to get rid of trojan-downloader.win32.small.htb?
Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:
The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. **Kindly respond one more time and let me know if we may consider this thread resolved. |
|
|
|
| Thread Tools | |
|
|
