Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: pacman2004 on June 25, 2005, 03:42:40 PM
-
Hello !
Recently, my PC was infected with this virus spoo1.exe. This virus will run everytime when booting up. I could not access the icons on the taskbar because the taskbar flickers and disappears everytime I click my mouse.
I tried running Avast, Adaware, Spybot Search & Destroy, but none worked.
In the end I downloaded Autorun (shows which programs run when booting up) from sysinternal and removed the virus manually.
Why didn't Avast, Adaware or Spybot detect this virus ???
-
Hi pacman2004,
Do you mean spool.exe?
spool.exe is part of RapidBlaster spyware:
http://www.liutilities.com/products/wintaskspro/processlibrary/spool/
This spyware is constantly changing to avoid detection, which is why all the programs you tried missed it.
There is a special tool available. I suggest you run it just to make sure RapidBlaster has gone:
http://www.wilderssecurity.net/specialinfo/rapidblaster.html
SpywareBlaster will protect you against future infection by RapidBlaster. It's available here:
http://www.javacoolsoftware.com/spywareblaster.html
-
Hi ! FreewheelinFrank
It's spoo1.exe , no mistake about the name :)
Thanks for the link. I will try it out.
-
Spool1.exe brings up nothing on Google: it must be something new.
Can you do a scan with HijackThis! and post the log please?
Instructions here:
http://www.bleepingcomputer.com/forums/tutorial42.html
-
Hello FreewheelinFrank
I thought I removed spoo1.exe already ???
But this process appeared again after I ran HijackThis. Same symptons as before ; message saying "my IE homepage has changed to about:blank".
Anyway, please see log below. Hope you can help solve this problem.
http://www.18hi.com/123.exeLogfile of HijackThis v1.99.1
Scan saved at 7:58:46 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED167D02-FBA5-4053-99C6-588473EB4C04}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe
-
BY the way, the process is spoo1.exe, not spool1.exe.
-
Freewheelin Frank
Please ignore previous log, because I have shut down the process spoo1.exe.
This new log is taken with spoo1.exe running :
http://www.18hi.com/123.exeLogfile of HijackThis v1.99.1
Scan saved at 8:23:17 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\WINDOWS\system\spoo1sv.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SVCH0ST] C:\WINDOWS\system\spoo1sv.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED167D02-FBA5-4053-99C6-588473EB4C04}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe
-
Hi Pacman2004,
spoo1sv.exe is a Trojan process:
http://castlecops.com/s3454-spoo1sv_exe.html
Please download, install, update and run this anti-trojan program:
http://www.ewido.net/en/
(If this doesn't work, we can do a manual deletion, so let me know if it works.)
I also recommend you download Ad-Aware and run a scan:
http://www.lavasoft.de/
It may detect Gamespy Arcade which is adware and which you may want to remove:
http://securityresponse.symantec.com/avcenter/venc/data/adware.gamespyarcade.html
-
Hello Freewheelin Frank
I tried running ewido under normal & safe modes. Still doesn't pick up this virus :(
How to remove manually ???
-
Please test the file C:\WINDOWS\system\spoo1sv.exe at http://virusscan.jotti.org/ and report what it finds. You could first rename the file in Safe mode to prevent the file getting startet in normal mode.
-
Hi Pacman2004,
Run HijackThis1 again and check the following entries:
O4 - HKLM\..\Run: [SVCH0ST] C:\WINDOWS\system\spoo1sv.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
The first is your Trojan and is essential to remove; the second is adware and only recommended to remove.
Click the Fix button and reboot into safe mode. (Tap F8 while booting.)
Delete this file:
C:\WINDOWS\system\spoo1sv.exe
and search for any more instances of spoo1sv.exe and delete them
(You may need to enable 'show hidden files'.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Reboot into normal mode and do another HijackThis scan to check that spoo1sv.exe has gone.
If it has not, there are more drastic ways to kill it we can try later!
Good luck,
FF
-
Hello FreewheelinFrank
I followed your instructions. I found 2 things.
1. There are no files with the name spoo1.exe in windows\system subfolder, although the scan log shows otherwise.
2. spoo1.exe appears in the windows\Prefetch subfolder. (And I deleted this while in safe mode).
After rebooting again, spoo1.exe appears to have been deleted (It's found in my recycle bin). I did not encounter any more messages telling me that my homepage has been changed.
I run Hijack This again to get the latest scan... and those messages start appearing again!!
Remember, I started this thread saying that I used a software "Autorun" from sysinternal and also deleted the file while in safe mode ? (similar to what you have suggested except that the software used now is HijackThis) I ran HijackThis back then just to check it out and the same thing happened.
It seems like I am back to square one! This is driving me crazy !!
-
I would also like to add that spoo1.exe found it's way back to the Windows\Prefetch subfolder again !
Raman :
I scanned the file using the address provided...No results.
-
Hello again Pacman2004,
As it seems the virus might be hiding out in prefetch, can you empty all temporary folders and clear out prefetch as described here:
http://safecomputing.umn.edu/guides/tempdirectories.html
Then could you do another boot time scan with avast! because a lot of new virus definitions have been added.
There are also two very powerful anti-Trojan programs which you could try:
TDS-3 (Download the definitions file and move to the program folder.)
http://tds.diamondcs.com.au/
and TrojanHunter
http://www.trojanhunter.com/
They both have a free trial, and will find Trojans that anti-virus programs miss.
Finally, download Winpatrol:
http://www.winpatrol.com/
Install and run the program and select Active Tasks. If you see spoo1sv.exe in the list, right click it and select Delete File on Reboot.
Finally run HijackThis! again so we can check that your computer is clean.
Good luck!
-
Pacman2004,
I found removal instructions for Souljet, of which spoo1sv.exe is a symptom, here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOULJET%2EC&VSect=Sn
If the above fails, do a scan with the Trend Micro online scanner, make a note of infected files found and proceed as described in the link.
Edit: If the Trojan is installing services, this would explain why it is returning. These services didn't appear in the HijackThis log, where they should appear in the O23 section. ???
-
Hello FreewheelinFrank
No luck at all.
I have done boot scan... detect nothing. TrojanHunter, WinPatrol doesn't work. The trendmicro online scanner did not detect this also.
Any particular reason why HjackThis caused spoo1sv.exe to "revive" ?
What next ? :-\
-
Hi Pacman2004,
To recap:
You have virus-like symptoms on your computer and you have found a file spoo1sv.exe which you think is responsible. This file is identified on the web as part of the SoulJet Trojan, but when you uploaded it to Jotti's scanner, all the tests were negative. The file came back when deleted (even when you removed the start-up entry with HijackThis!)- so it certainly behaves like malware. None of the programs I recommended has detected or removed this file.
Well, it looks like this might be a new variant of the Trojan, not yet recognised by anti-virus or anti-Trojan programs.
If it is like SoulJet, it will install itself as a Windows service, so that deleting the file will be useless, as services run even in safe mode- the Trojan can simply recreate the file later on. If it is doing this, the service is not appearing in HijackThis!, so we haven't seen it.
There are several things to do:
Submit the file to avast! for analysis. Follow DavidR's instructions in this thread:
http://forum.avast.com/index.php?topic=14717.msg124035#msg124035
Check to see if other anti-virus programs identify the Trojan. This usually takes from a few hours to a few days. Can you submit the file again to Jotti's scanner and see if it is identified as malware by any of the programs? Repeat this daily, because eventually one of the programs should identify it.
Try some more online scanners and see if any pick it up. You can try these:
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm (http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm)
http://support.f-secure.com/enu/home/ols.shtml
and of course the Housecall scanner again.
Finally, you could search the registry for these entries:
* HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Enum>Root>LEGACY_NETMM
* HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Netmm
If you find these, it is the Trojan service as described by Trend Micro. Do not delete these keys, but tell me if you find them.
Please let me know what happens.
-
Hello FreewheelinFrank
I noticed something peculiar when I open MS Words. It seems that the "copy" function has been activated everytime I open MS Words. There is this icon with an " I" and three small vertical lines appearing. Normally this appears when we copy and paste things in Ms Words.
So I clicked "paste " function and this web address appeared : http//www.18hicom/123.exe (Happens eveytime when I do this in MS Words) This is the webpage page that the virus was installed from!
I didn't go into detail earlier about how my PC was infected. It was like this : I received a e-mail from a friend. There are no attachments in the e-mail except for the web address above. So I opened Explorer and keyed in this address. Some message appeared (can't remember what it was - probably about running some program) and I clicked OK. That's when all the trouble starts. On hindsight, it's really my stupidity that caused my PC to be infected.
I will try out what you have recommended and will inform you if there are new developments. Really appreciate your advice and instructions :)
-
Hi Pacman2004,
Could you also try these rootkit detection programs, just to see if you have a rootkit hiding malware programs and registry entrirs?
http://www.sysinternals.com/Utilities/RootkitRevealer.html
http://www.f-secure.com/blacklight/
Edit: Please carry out the scans in my second posting first, as I think they will be more productive!
-
Hi Pacman2004,
A web search on 123.exe brings up some interesting results!
eTrust describe a Trojan called Sinister Uploader 1.0 which uses an install file name 123.exe, is hidden from the user, and produces task bar blink- all of which fits what you describe.
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075414
Panda call this Trojan Trj/W32.Apher, so it will be interesing to see if the Panda scanner detects anything.
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=38228
eTrust also have an online scanner, so I recommend trying that:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Sophos describe a Trojan called Troj/VB-GX which downloads a file called 123.exe from a remote location. Symptoms include the start page being set to "about:blank" which you describe. This is a new Trojan, emerging last month, and only added to the Sophos definitions this month, so this might also be the culprit!
http://www.sophos.com/virusinfo/analyses/trojvbgx.html
Sophos have a downloadable scanner you can try called SAV32CLI. You have to downloaded it, un zip the folder and copy it to a CD. You then boot into safe mode with command prompt and run the following commands:
D:
CD SAV32CLI
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
Full instructions on this page:
http://www.sophos.com/support/disinfection/trojan.html
So, run the Panda and eTrust online scanners, and download and run the Sophos scanner- I think we'll get a result this time!
-
Hello FreewheelinFrank
I happened to chance on a chinese forum describing this file spoo1sv.exe.
I will give a rough translation : spoo1sv.exe created 2 files, win.dll and windll.dll, in c:\windows\system subfolder. After repairing, deleting and restarting, the problem is solved.
I am tempted to delete these 2 files but I am not sure about the "repairing" part. How to "repair" before I delete the files ?
And are these 2 files suppose to be located in the system folder in the first place ?
-
spoo1sv.exe is the Souljet trojan that steals passwords from your system.
Too remove it:
1) Disable System Restore (Windows Me/XP).
2) Update the virus definitions.
3) Restart the computer in Safe mode or VGA mode.
4) Run a full system scan and delete all the files detected as PWSteal.Souljet.
5) Reverse the changes made to the registry.
( HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\spoo1sv.exe )
6) Change all your passwords
-
Hello Eddy, FreewheelinFrank
I think the problem is solved. Virus is TROJ_VB.FN
Solution can be found at :
http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?VName=TROJ_VB.FN
This is my latest scan :
Logfile of HijackThis v1.99.1
Scan saved at 11:44:33 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdwareAlert] C:\Utilities\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [WinPatrol] c:\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED167D02-FBA5-4053-99C6-588473EB4C04}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe
-
Hello Eddy
After reading the description of the virus at the trend-mirco website, this virus doesn't seem to be stealing information ?
I suppose the data in my PC won't be compromised then.
Please advise. Thank you.
-
Your system is still infected with maleware.
- adwarealert.exe
- O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
FOLLOW THESE INSTRUCTIONS (http://82.75.52.232/ache/cleaning.htm)
-
Hi Pacman2004,
msntb.dll is listed as legitimate at castlecops, so you decide if you want to keep it:
http://castlecops.com/clsid-897.html
AdwaerAlert is a 'rogue' product: it claims to remove malware but doesn't:
http://castlecops.com/s9265-AdwareAlert_Exe.html
http://www.spywarewarrior.com/rogue_anti-spyware.htm
You should be able to remove it from Add/Remove programs. Get Ad-Aware and spybot Search & Destroy instead because they work and they are free:
http://www.lavasoft.de/
http://www.safer-networking.org/en/download/
I'm glad your computer is working OK now, although I'm a little confused.
windll.dll seems to be Netbus which avast! should have identified as it was added to definitions in 2004.
http://securityresponse.symantec.com/avcenter/venc/data/backorifice.html
I guess the references to repairing you found mean removing registry entries as described in the Symantec article.
win.dll is created by a couple of Trojans but not by Souljet, according to Symantec.
And what happened to spoo1sv.exe?
Did any of the scans I recommended find and delete anything?
Anyway, I'm glad to hear you're not having any more problems.
FF
-
Hello Freewheelin Frank & Eddy ,
I cleaned the Adaware Alert.exe, and deleted win.dll & windll.dll.
No trace of spoo1sv.exe in the Prefetch folder also. I suppose it has been removed :)
The scans recommended detected some other things, but not this spoo1sv.exe.
Also the panda scanner doesn't seem usuable because Avast detect a Win32?? (can't remember exact name) during the scan process. I had to abort the scan. Tried twice, same thing happened.
E-trust scanner gave no results, same as Jotti scanner.
TrojanHunter found something (actually they are game patches I downloaded). Did not detect spoo1sv.exe also.
By the way, what is this
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install ? Is this a malware ?
My latest scan :
Logfile of HijackThis v1.99.1
Scan saved at 11:14:37 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe
-
FIX these:
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
Not sure about these:
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
-
Hi Pacman2004,
You can safely diasble avast! during the Panda scan because the warning is a false alarm.
nwiz.exe is not malware. It's from NVIDIA Corporation, but it's not an essential process, so you could disable it to improve performance:
http://www.liutilities.com/products/wintaskspro/processlibrary/nwiz/
I guess one of the scans you did removed the Souljet Trojan, of which spoo1sv.exe is a component. Different scanners use different names, so it might not even have been identified as Souljet.
The mybands.dll entry needs to go, as Fixer has noticed.
Have you run Ad-Aware and Spybot which I mentioned in my previous post? They may well remove it. Otherwise follow these removal instructions:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453079074
FF
-
In a couple of days I will release the next version of my HJT lof file analyzer with additions to the databases.
The current version can be found HERE (http://members.home.nl/b.brink/hiloa01b.exe)
Note:
It is a beta version so if you use it, please let me know if you find any shortcommings.
-
Hello Freewheelin Frank & Fixer
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
This file is part of a chinese software that I have, which pronounces the Chinese character as I input.
I was at looking the rest of the files in the subfolder. They are all created on the same date...so this is not something that got into my PC while I was surfing the net.
Will it affect the proper working of the software if I delete the mybands.dll ?
And I have been running Adaware & spybot a couple of times (in normal & safe mode) during the past 2 weeks. Both programs didn't detect this as spyware.
-
mybands.dll is malware
Site 1 (http://www.spyany.com/files/mybands_dll.html)
Site 2 (http://castlecops.com/tk738-mybands_dll.html)
Site 3 (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453079074)