I have the iworm_attck ... trojan n

Computing.Net > Forums > Security and Virus > I have the iworm_attck ... trojan n

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

I have the iworm_attck ... trojan n

Name: Creeper
Date: December 3, 2005 at 15:13:51 Pacific
OS: windows xp
CPU/Ram: 256

Comment:

I have the worm iworm_attck_v122.o2a. Not sure what to do can someone help? Thanx

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: December 3, 2005 at 17:45:05 Pacific

Reply:

Creeper, download SpySweepers two week free trial from this link http://www.webroot.com/consumer/downloads/?WRSID=e409ac047198452130f804c8e255dbca
Set Spysweeper up this way:
Install it. Once the program is installed, it will open. It will prompt you to update to the latest definitions, click Yes. Once the definitions are installed, click Options on the left side. Click the Sweep Options tab. Under "What to Sweep" please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Uncheck Do not Sweep System Restore Folder.
Click Sweep Now on the left side. Click the Start button. When it's done scanning, click the Next button. Make sure everything has a check next to it, then click the Next button. It will remove all of the items found. Click Session Log in the upper right corner, copy everything in that window. Click the Summary tab and click Finish. Paste the contents of the session log you copied into your next reply.
Then download ccleaner to clean out all your temp files. Make sure there is not anything in the recycle bin that you need as ccleaner will delete recycle bin items unless checked not to do so.
Then download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Response Number 2

Name: Creeper
Date: December 3, 2005 at 20:21:40 Pacific

Reply:

Thanx for your response this is the HT logfile. What should I do now?
Logfile of HijackThis v1.99.1
Scan saved at 10:19:35 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
E:\Program Files\WlanUtility.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Clay\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "E:\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: USBControl.lnk = ?
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hotmail.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1119110981053
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Response Number 3

Name: jabuck
Date: December 3, 2005 at 22:11:47 Pacific

Reply:

Creeper,looks like a clean HT log, if you are still having problems post the spysweeper log.

Response Number 4

Name: Creeper
Date: December 3, 2005 at 23:17:43 Pacific

Reply:

I am running another spysweeper scan but the last scan didn't save a file because I had to restart my computer to remove some things. Anyway a microsoft note keeps poping up in in my toolbar that says my computer is infected! Here is the last couple of spysweeper scans.
12:53 AM: | Start of Session, Sunday, December 04, 2005 |
12:53 AM: Spy Sweeper started
12:53 AM: Sweep initiated using definitions version 577
12:53 AM: Starting Memory Sweep
12:58 AM: Memory Sweep Complete, Elapsed Time: 00:04:55
12:58 AM: Starting Registry Sweep
12:59 AM: Registry Sweep Complete, Elapsed Time:00:00:38
12:59 AM: Starting Cookie Sweep
12:59 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:59 AM: Starting File Sweep
1:14 AM: File Sweep Complete, Elapsed Time: 00:14:45
1:14 AM: Full Sweep has completed. Elapsed time 00:20:32
1:14 AM: Traces Found: 0
********
9:21 PM: | Start of Session, Saturday, December 03, 2005 |
9:21 PM: Spy Sweeper started
9:21 PM: Sweep initiated using definitions version 577
9:22 PM: Starting Memory Sweep
9:26 PM: Memory Sweep Complete, Elapsed Time: 00:03:55
9:26 PM: Starting Registry Sweep
9:26 PM: Registry Sweep Complete, Elapsed Time:00:00:32
9:26 PM: Starting Cookie Sweep
9:26 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:26 PM: Starting File Sweep
9:44 PM: File Sweep Complete, Elapsed Time: 00:17:33
9:44 PM: Full Sweep has completed. Elapsed time 00:22:16
9:44 PM: Traces Found: 0
12:53 AM: | End of Session, Sunday, December 04, 2005 |
********
8:27 PM: | Start of Session, Saturday, December 03, 2005 |
8:27 PM: Spy Sweeper started
8:27 PM: Sweep initiated using definitions version 577
8:27 PM: Starting Memory Sweep
8:27 PM: Found Adware: popuper
8:27 PM: Detected running threat: C:\WINDOWS\system32\hpC5EF.tmp (ID = 190)
8:31 PM: Detected running threat: C:\WINDOWS\system32\nvctrl.exe (ID = 190)
8:32 PM: Memory Sweep Complete, Elapsed Time: 00:04:27
8:32 PM: Starting Registry Sweep
8:32 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573)
8:32 PM: Found Adware: security2k hijacker
8:32 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
8:32 PM: Found Trojan Horse: trojan-downloader-zlob
8:32 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797370)
8:32 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
8:32 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || nvctrl.exe (ID = 813700)
8:32 PM: HKCR\nvideocodek.chl\ (2 subtraces) (ID = 820294)
8:32 PM: HKLM\software\classes\nvideocodek.chl\ (2 subtraces) (ID = 820324)
8:32 PM: HKCR\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026307)
8:32 PM: HKLM\software\classes\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026331)
8:32 PM: Registry Sweep Complete, Elapsed Time:00:00:32
8:32 PM: Starting Cookie Sweep
8:32 PM: Found Spy Cookie: adknowledge cookie
8:32 PM: clay@adknowledge[1].txt (ID = 2072)
8:32 PM: Found Spy Cookie: ask cookie
8:32 PM: clay@ask[1].txt (ID = 2245)
8:32 PM: Found Spy Cookie: belnk cookie
8:32 PM: clay@ath.belnk[2].txt (ID = 2293)
8:32 PM: clay@belnk[2].txt (ID = 2292)
8:32 PM: Found Spy Cookie: go.com cookie
8:32 PM: clay@broadband.espn.go[1].txt (ID = 2729)
8:32 PM: Found Spy Cookie: dealtime cookie
8:32 PM: clay@dealtime[1].txt (ID = 2505)
8:32 PM: clay@dist.belnk[1].txt (ID = 2293)
8:32 PM: clay@espn.go[2].txt (ID = 2729)
8:32 PM: clay@forums.espn.go[1].txt (ID = 2729)
8:32 PM: clay@go[2].txt (ID = 2728)
8:32 PM: clay@insider.espn.go[1].txt (ID = 2729)
8:32 PM: Found Spy Cookie: mrskin cookie
8:32 PM: clay@mrskin[1].txt (ID = 3020)
8:32 PM: clay@rsi.espn.go[1].txt (ID = 2729)
8:32 PM: clay@sports.espn.go[2].txt (ID = 2729)
8:32 PM: clay@stat.dealtime[1].txt (ID = 2506)
8:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:32 PM: Starting File Sweep
8:50 PM: File Sweep Complete, Elapsed Time: 00:17:42
8:50 PM: Full Sweep has completed. Elapsed time 00:22:49
8:50 PM: Traces Found: 40
9:01 PM: Removal process initiated
9:01 PM: Quarantining All Traces: popuper
9:02 PM: popuper is in use. It will be removed on reboot.
9:02 PM: C:\WINDOWS\system32\hpC5EF.tmp is in use. It will be removed on reboot.
9:02 PM: C:\WINDOWS\system32\nvctrl.exe is in use. It will be removed on reboot.
9:02 PM: Quarantining All Traces: security2k hijacker
9:02 PM: Quarantining All Traces: trojan-downloader-zlob
9:02 PM: Quarantining All Traces: adknowledge cookie
9:02 PM: Quarantining All Traces: ask cookie
9:02 PM: Quarantining All Traces: belnk cookie
9:02 PM: Quarantining All Traces: dealtime cookie
9:02 PM: Quarantining All Traces: go.com cookie
9:02 PM: Quarantining All Traces: mrskin cookie
9:03 PM: BHO Shield: found: hpB17D.tmp-- BHO installation denied at user request
9:07 PM: Preparing to restart your computer. Please wait...
9:07 PM: Removal process completed. Elapsed time 00:05:32
********
8:21 PM: | Start of Session, Saturday, December 03, 2005 |
8:21 PM: Spy Sweeper started
8:23 PM: Your spyware definitions have been updated.
8:27 PM: | End of Session, Saturday, December 03, 2005 |

Response Number 5

Name: jabuck
Date: December 4, 2005 at 05:43:46 Pacific

Reply:

Creeper, Download Ewido Security Suite then set it up this way Ewido Setup Instructions reboot into Safe Mode and run Ewido
When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.
Please reboot into normal mode and post the ewido log.

sifxinst BHO shield do i have the mac trojan	I have the trojan bho.jew virus how do i know if i have the trojan vundo virus I have the image file and would like to make it on a CD bootable
See More

Response Number 6

Name: Creeper
Date: December 4, 2005 at 10:23:35 Pacific

Reply:

Jabuck, Here is the latest ewido scan. Thanx

ewido security suite - Scan report

+ Created on: 11:56:31 AM, 12/4/2005
+ Report-Checksum: 165FC173
+ Scan result:
:mozilla.13:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Clay\Application Data\Mozilla\Firefox\Profiles\exw5xsv6.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\system32\mssearchnet.exe -> Downloader.Zlob.by : Cleaned with backup

::Report End

Response Number 7

Name: jabuck
Date: December 4, 2005 at 10:48:01 Pacific

Reply:

Creeper , it's spyaxe. Download this spyaxe removal tool http://noahdfear.geekstogo.com/SpyAxeFix.exe and save it to your desktop.
Reboot into safe mode and log in as administrator
Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder. Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes. A text file named spyaxe.txt will be created in the SpyAxeFix folder. Post the contents of that log please.
If it will not run for some reason or it does not appear on the desktop, go to start>search>all files and folders>type in ".bat" without the quotes>search and when spyaxefix.bat appears in the right pane double click it.
after the reboot download http://noahdfear.geekstogo.com/smitRem.exe
Reboot into safe mode
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again, this is normal.
Wait for the tool to complete and Disk Cleanup to finish, this may take a while,so please be patient.
Run ccleaner from safe mode post the spyaxefix log,the smitrem log and post a new HT log.

Response Number 8

Name: Creeper
Date: December 4, 2005 at 22:11:42 Pacific

Reply:

Jabuck, here are the contents in the spyaxefix text file. hope this works.
SpyAxeFix © by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/05/2005
The current time is: 0:04:28.84

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 828 'explorer.exe'
Killing PID 828 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
svchosts.dll present
1024 directory present
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

Response Number 9

Name: Creeper
Date: December 4, 2005 at 22:59:28 Pacific

Reply:

Jabuck, Here is the HT log but the smitrem didn't create a logfile. What next?
Logfile of HijackThis v1.99.1
Scan saved at 12:53:32 AM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\HP Software Update\HPWuSchd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\WlanUtility.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Clay\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "E:\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: USBControl.lnk = ?
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hotmail.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1119110981053
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Response Number 10

Name: Creeper
Date: December 4, 2005 at 23:04:04 Pacific

Reply:

Jabuck, I think things are fixed!! Thanx a lot for your help. Let me know what happened with the log files.

Response Number 11

Name: skabverdi
Date: December 10, 2005 at 05:38:05 Pacific

Reply:

i have just gotten this iworm_attack virus to get onto my computer after this morning i had many alerts telling me that my computer had been hijacked, im so worried about my information being exploited, ive got a hijack this log? what do i do, please help :(

Response Number 12

Name: Dave8603
Date: December 21, 2005 at 15:36:08 Pacific

Reply:

Hi, I was recently infected with the aim virus that asks to put a picture of me on myspace and now it ims everyone on my buddy list. I tried to remove it with aimfix and thought it was gone but then I went back online and all my groups were minimized and it eventually imed all my friends again. I know there have been fixes already posted to this but I was hoping someone could walk me through it just so I make sure I don't mess up my computer. Thanks.

Sponsored Link

Ads by Google

netsh.exe virus?

trojan downloader agent

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: I have the iworm_attck ... trojan n

I think i have a Bla.Trojan HELP ME

Summary

www.computing.net/answers/security/i-think-i-have-a-blatrojan-help-me/16745.html

DO I HAVE THE KLEZ?

Summary

www.computing.net/answers/security/do-i-have-the-klez/577.html

I have an iworm_attck message

Summary

www.computing.net/answers/security/i-have-an-iwormattck-message/18416.html

From the Geek Dictionary
Constant Linear Velocity - Constant Linear Velocity (CLV) is when the rate of data reading from a disk...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
restore help

dvd rom not able to read dvd

Converting to one partition

Mozilla Thunderbird import

Cannot Load Driver For USB 2.0 Flash Drive

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE