| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 45964 | 2004-06-08 11:57:00 | Dropper.Swizzor.AH | donna (1667) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 242866 | 2004-06-08 11:57:00 | Hi A friend of mine has been infected with the dropper.Swizzor.AH. PC is dialing up to the internet automatically. AVG is not getting rid of it. He has run spybot and adaware and they are not showing anything. Google not throwing up any info. I got him to run hijack this and was wondering if someone could give the log a bit of a once over and let me know if he has any nasties in there Much appreciated Donna Logfile of HijackThis v1.97.7 Scan saved at 10:39:33 p.m., on 8/06/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\S3tray2.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN\MSNCoreFiles\msn6.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\DllHost.exe C:\Documents and Settings\Stefan Thompson\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" O4 - HKLM\..\Run: [CFJM] C:\WINDOWS\CFJM.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: KCrypto for Applets - www.ros.ie O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - www.apple.com O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - security.symantec.com O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com O17 - HKLM\System\CCS\Services\Tcpip\..\{A89187BD-6EA8-4F84-918F-BBDA540BE2DE}: NameServer = 202.27.158.40 202.27.184.3 |
donna (1667) | ||
| 242867 | 2004-06-08 12:08:00 | try this www.google.co.nz search[/url] | beama (111) | ||
| 242868 | 2004-06-08 12:09:00 | O4 - HKLM\..\Run: [CFJM] C:\WINDOWS\CFJM.exe Remove it. Otherwise looks OK with these tired eyes. Would also advise downloading Ccleaner (www.spazmatic.net) and tick the "delete index.dat files" and have a clean out. Bedtime I think, see if I can catch up on the 4Hours of sleep I missed out on last night. |
Pheonix (280) | ||
| 242869 | 2004-06-08 12:22:00 | Also, Get him to turn off the restore function, and only turn it back on when all clear. Do an online AV scan in case yours is comprimised. here (housecall.antivirus.com) which should pickup and clean the trojan. |
Pheonix (280) | ||
| 242870 | 2004-06-08 12:27:00 | Thanks for that, I will get him on to it. Donna |
donna (1667) | ||
| 1 | |||||