Re: Trojan horse Downloader.Stubby.A

• Previous message: Lance Hill: "Re: Endless Intrusion Alerts"
• In reply to: Bill Sanderson: "Re: Trojan horse Downloader.Stubby.A"
• Next in thread: Bill Sanderson: "Re: Trojan horse Downloader.Stubby.A"
• Reply: Bill Sanderson: "Re: Trojan horse Downloader.Stubby.A"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 9 Dec 2003 00:07:31 -0500

Bill,
>"Sorting out the dross from this kind of list is going to take some real
care"
And then there is the file size (16 kb), then you get several replies
....... [ugh!]

Not to mention some amaturs giving advise on what to remove and what not.
This kind of thing is best left to the "Forums guys" that deal with these
logs.

Anyway, looking over your log ........"O4" and "O16" can go ...

O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\Updreg.exe

http://www.liutilities.com/products/wintaskspro/processlibrary/updreg/

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) -
http://207.82.221.103/10085e868404f4209c21/netzip/RdxIE.cab

http://www.google.com/search?num=20&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=NetZip+%2B+spyware
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-08-03]
Please post replies to this Newsgroup, email address is invalid

--
"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:%23SYAmhgvDHA.2308@TK2MSFTNGP11.phx.gbl...
> I just ran HijackThis on my system.
>
> It was useful--it allowed me to remove a couple of startups, one of which
> remained from a manual ripping out by the roots of some software, and
> another of which I was tired of seeing in my notification area.
>
> OTOH, here's what was left.  There's a lot here, and I believe it is all
> stuff that is reasonably safe and that I want.  Sorting out the dross from
> this kind of list is going to take some real care, no?
>
> -----------------------------------------------------------
> Logfile of HijackThis v1.97.7
> Scan saved at 10:54:36 PM, on 12/8/2003
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> E:\WINDOWS\System32\smss.exe
> E:\WINDOWS\system32\winlogon.exe
> E:\WINDOWS\system32\services.exe
> E:\WINDOWS\system32\lsass.exe
> E:\WINDOWS\system32\svchost.exe
> E:\WINDOWS\System32\svchost.exe
> E:\WINDOWS\system32\spoolsv.exe
> E:\WINDOWS\Explorer.EXE
> E:\Program Files\Google\ggviewer67-34.exe
> E:\Program Files\TZO\TZOClient.exe
> E:\WINDOWS\System32\taskswitch.exe
> E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
> C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
> E:\WINDOWS\System32\ctfmon.exe
> E:\WINDOWS\System32\devldr32.exe
> E:\Program Files\MSN Messenger\MsnMsgr.Exe
> E:\Program Files\AnalogX\TSDropCopy\tsdc.exe
> E:\Program Files\United Devices\UD.exe
> E:\Program Files\United Devices\ud_1706422.exe
> E:\WINDOWS\System32\CTsvcCDA.EXE
> E:\WINDOWS\System32\inetsrv\inetinfo.exe
> E:\Program Files\United Devices\ud_1706422_0.dir\ud_ligfit_Release.exe
> E:\WINDOWS\System32\ScsiAccess.EXE
> E:\WINDOWS\System32\tcpsvcs.exe
> E:\WINDOWS\System32\snmp.exe
> E:\WINDOWS\System32\svchost.exe
> E:\Program Files\TZO\TZO_NT_Service.exe
> E:\WINDOWS\System32\VetMsgNT.exe
> E:\WINDOWS\System32\MsPMSPSv.exe
> E:\Program Files\Outlook Express\msimn.exe
> E:\Program Files\SpamPal\spampal.exe
> E:\Documents and Settings\billS\Desktop\hijackthis\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bill
> Sanderson's Microsoft Internet Explorer
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyServer = gopher=127.0.0.1:80
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program
> Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program
> files\google\googletoolbar1.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> E:\WINDOWS\System32\msdxm.ocx
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
e:\program
> files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [TZOClient] E:\Program Files\TZO\TZOClient.exe
> O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\Updreg.exe
> O4 - HKLM\..\Run: [AHQInit] E:\Program
> Files\Creative\SBLive2k\Program\AHQInit.exe
> O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\System32\taskswitch.exe
> O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
> E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
> O4 - HKLM\..\Run: [QuickTime Task] "D:\program
> files\quicktime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [Qwik-Fix] "E:\Program Files\PivX Qwik-Fix\QwikFix.exe"
> splash
> O4 - HKLM\..\Run: [VetTray] c:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
> O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
> O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe"
> /background
> O4 - Startup: SpamPal.lnk = E:\Program Files\SpamPal\spampal.exe
> O4 - Startup: TSDropCopy.lnk = E:\Program
Files\AnalogX\TSDropCopy\tsdc.exe
> O4 - Startup: UD Agent.lnk = ?
> O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
> O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O8 - Extra context menu item: &Google Search - res://E:\Program
> Files\Google\GoogleToolbar1.dll/cmsearch.html
> O8 - Extra context menu item: Backward &Links - res://E:\Program
> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
> O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program
> Files\Google\GoogleToolbar1.dll/cmcache.html
> O8 - Extra context menu item: Si&milar Pages - res://E:\Program
> Files\Google\GoogleToolbar1.dll/cmsimilar.html
> O8 - Extra context menu item: Translate Page - res://E:\Program
> Files\Google\GoogleToolbar1.dll/cmtrans.html
> O9 - Extra button: Related (HKLM)
> O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: Messenger (HKLM)
> O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
> http://support.dell.com/systemprofiler/SysPro.CAB
> O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office
Template
> and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
> O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
> http://www.apple.com/qtactivex/qtplugin.cab
> O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -
> https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=Compaq
> O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks
Control) -
> http://msfm.interwise.com/msfm/English/ActiveX/IWsystemchecks.cab
> O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E2} (ShowSetupObj2 Class) -
> http://invite.mshow.com/ShowSetup2.dll
> O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E3} (ShowSetupObj3 Class) -
> http://invite.mshow.com/ShowSetup.cab
> O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
> Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
> O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) -
> http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
> O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
> Class) -
>
http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1063205794992
> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
> scanner) -
> http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
> O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) -
> http://207.82.221.103/10085e868404f4209c21/netzip/RdxIE.cab
> O16 - DPF: {41E95AF7-BB7B-403D-8E8B-4162188943DE} (INVC Participant
Console
> 1.51) - http://66.228.194.114/in/clients/listener/bin/inlist151.cab
> O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -
> http://office.microsoft.com/productupdates/content/opuc.cab
> O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb
ActiveX
> Control) - http://msfm.interwise.com/IWCampus/student/client/iftwclix.cab
> O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
> https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
> O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
> System Class) -
> http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,56/mcinsctl.cab
> O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology
> Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> http://207.188.7.150/0503130719ab0a231c04/netzip/RdxIE6.cab
> O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
> http://office.microsoft.com/productupdates/content/opuc.cab
> O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl
> Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
> O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
>
http://a840.g.akamai.net/7/840/537/2003031101/housecall.antivirus.com/housecall/xscan53.cab
> O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client
> Control (redist)) - http://fgc2003/tsweb/msrdp.cab
> O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) -
> http://supportservices.msn.com/us/smtptool/MailCfg.cab
> O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
Control) -
> http://www.bitdefender.com/scan/Msie/bitdefender.cab
> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
> http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
> O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl
> Object) - http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab
> O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
> Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
>
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37575.7315856482
> O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
> http://www.ravantivirus.com/scan/ravonline.cab
> O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments
> Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
> O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround
> Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
> O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) -
>
http://scpwbf.ops.placeware.com/etc/place/RCC-BETA/pws-ms-04/5100-zi/lib/quicksilver.cab
> O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
> Information Class) -
> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} (ScanMe Class) -
>
http://download.microsoft.com/download/win2000platform/Utility/416/NT45XP/EN-US/mssecuredll.cab
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
> O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools
on
> the Web Control) -
> http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
> O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) -
> http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
> O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
> http://fdl.msn.com/public/chat/msnchat45.cab
> O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) -
> http://www.zoomify.com/download/zoomify214.cab
>
<snip>

• Previous message: Lance Hill: "Re: Endless Intrusion Alerts"
• In reply to: Bill Sanderson: "Re: Trojan horse Downloader.Stubby.A"
• Next in thread: Bill Sanderson: "Re: Trojan horse Downloader.Stubby.A"
• Reply: Bill Sanderson: "Re: Trojan horse Downloader.Stubby.A"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]