Jump to content

Recommended Posts

My system has a Spigot trojan. Malwarebytes id'd it and removed it, but SearchSettings.exe is re-launched at each boot. I followed the steps in the "T'm infected..." thread, but GMER ran for more than 3 hours, then froze my system, requiring a power off/on. I used RKUnhookerLE the 2nd time with Drivers and Stealth checked. Please take a look and advise as to what my next steps should be. Thanks very much.

_______________________________________________________________________________________________

DDS (Ver_11-03-05.01) - NTFSx86

Run by Trish Baskin at 19:38:50.28 on Thu 05/12/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.482 [GMT -4:00]

.

AV: ZoneAlarm Security Suite Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Security Suite Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe

C:\WINDOWS\system32\lxducoms.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe

C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe

C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe

C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

C:\WINDOWS\LOGI_MWX.EXE

C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Greenshot\Greenshot.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Documents and Settings\Trish Baskin\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.pctools.com/mrc/fix_homepage/

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [Mozilla Quick Launch] "c:\program files\mozilla.org\mozilla\Mozilla.exe" -turbo

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\trish baskin\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [Apoint] "c:\program files\apoint\Apoint.exe"

mRun: [AzMixerSel] "c:\program files\realtek\installshield\AzMixerSel.exe"

mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"

mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"

mRun: [TVTunerLib] "c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe"

mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

mRun: [VZRemoteCommander] "c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe"

mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"

mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"

mRun: [Lexmark 5600-6600 Series Fax Server] "c:\program files\lexmark 5600-6600 series\fm3032.exe" /s

mRun: [Logitech Utility] "LOGI_MWX.EXE"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

StartupFolder: c:\docume~1\trishb~1\startm~1\programs\startup\greens~1.lnk - c:\program files\greenshot\Greenshot.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\gjj1qsha.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll

FF - plugin: c:\documents and settings\trish baskin\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\trish baskin\application data\mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\trish baskin\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-12-22 128016]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-12-22 317072]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-12-22 528128]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032]

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]

R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-3-24 98984]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-26 136176]

S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-26 136176]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-7-14 14336]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

.

=============== Created Last 30 ================

.

2011-05-05 17:02:25 8255005 ----a-w- c:\documents and settings\all users\SPL240.tmp

2011-04-25 23:41:26 -------- d-----w- c:\docume~1\trishb~1\locals~1\applic~1\PCHealth

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

==================== Find3M ====================

.

2011-04-05 11:34:46 19508 ----a-w- c:\documents and settings\all users\SPL142.tmp

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 19:42:46.09 ===============

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove if listed:

Spigot

IObit

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

When I looked at the program list, I saw IOBit Toolbar v 4.1, but not Spigot, even though Searchsettings started up at previous reboot. When I went to remove IOBit, I got a message that MS Windows Installer couldn't be accessed. I'm not sure whether that's related to the Spigot trojan, but I went to the MS site and followed instructions for reregistering the Installer, but I found that the MSIServer service was listed under ControlSet001, but not under CurrentControlSet, which is where MS said it should be. Rather than mess around blindly, I decided to use the alternate method from MS, and downloaded a new dist pkg from them and ran it. Seems to be working fine now, so I removed IOBit, ran ATFCleaner, and rebooted. The first thing I checked for was SearchSettings.exe running, and it isn't there. System is running much better now. Original symptoms were mostly things like low memory messages, occasionally programs taking a long time to load or failing to ever go active, scripts going "busy" or hanging. Is there anything further I should do in this instance?

Going forward, I have the free version of ZoneAlarm, run Malwarebytes regularly, use WOT, follow basic security rules regarding emails, downloads, etc. Should I be doing something, or installing something specific regarding trojans? They can be a real pain to get rid of as I'm sure you know:} Thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.