Trishb148

Infected with Spigot trojan

5 posts in this topic

My system has a Spigot trojan. Malwarebytes id'd it and removed it, but SearchSettings.exe is re-launched at each boot. I followed the steps in the "T'm infected..." thread, but GMER ran for more than 3 hours, then froze my system, requiring a power off/on. I used RKUnhookerLE the 2nd time with Drivers and Stealth checked. Please take a look and advise as to what my next steps should be. Thanks very much.

_______________________________________________________________________________________________

DDS (Ver_11-03-05.01) - NTFSx86

Run by Trish Baskin at 19:38:50.28 on Thu 05/12/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.482 [GMT -4:00]

.

AV: ZoneAlarm Security Suite Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Security Suite Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe

C:\WINDOWS\system32\lxducoms.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe

C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe

C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe

C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

C:\WINDOWS\LOGI_MWX.EXE

C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Greenshot\Greenshot.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Documents and Settings\Trish Baskin\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.pctools.com/mrc/fix_homepage/

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [Mozilla Quick Launch] "c:\program files\mozilla.org\mozilla\Mozilla.exe" -turbo

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\trish baskin\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [Apoint] "c:\program files\apoint\Apoint.exe"

mRun: [AzMixerSel] "c:\program files\realtek\installshield\AzMixerSel.exe"

mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"

mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"

mRun: [TVTunerLib] "c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe"

mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

mRun: [VZRemoteCommander] "c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe"

mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"

mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"

mRun: [Lexmark 5600-6600 Series Fax Server] "c:\program files\lexmark 5600-6600 series\fm3032.exe" /s

mRun: [Logitech Utility] "LOGI_MWX.EXE"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

StartupFolder: c:\docume~1\trishb~1\startm~1\programs\startup\greens~1.lnk - c:\program files\greenshot\Greenshot.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\gjj1qsha.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll

FF - plugin: c:\documents and settings\trish baskin\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\trish baskin\application data\mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\trish baskin\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-12-22 128016]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-12-22 317072]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-12-22 528128]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032]

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]

R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-3-24 98984]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-26 136176]

S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-26 136176]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-7-14 14336]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

.

=============== Created Last 30 ================

.

2011-05-05 17:02:25 8255005 ----a-w- c:\documents and settings\all users\SPL240.tmp

2011-04-25 23:41:26 -------- d-----w- c:\docume~1\trishb~1\locals~1\applic~1\PCHealth

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

==================== Find3M ====================

.

2011-04-05 11:34:46 19508 ----a-w- c:\documents and settings\all users\SPL142.tmp

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 19:42:46.09 ===============

Share this post


Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove if listed:

Spigot

IObit

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Share this post


Link to post
Share on other sites

When I looked at the program list, I saw IOBit Toolbar v 4.1, but not Spigot, even though Searchsettings started up at previous reboot. When I went to remove IOBit, I got a message that MS Windows Installer couldn't be accessed. I'm not sure whether that's related to the Spigot trojan, but I went to the MS site and followed instructions for reregistering the Installer, but I found that the MSIServer service was listed under ControlSet001, but not under CurrentControlSet, which is where MS said it should be. Rather than mess around blindly, I decided to use the alternate method from MS, and downloaded a new dist pkg from them and ran it. Seems to be working fine now, so I removed IOBit, ran ATFCleaner, and rebooted. The first thing I checked for was SearchSettings.exe running, and it isn't there. System is running much better now. Original symptoms were mostly things like low memory messages, occasionally programs taking a long time to load or failing to ever go active, scripts going "busy" or hanging. Is there anything further I should do in this instance?

Going forward, I have the free version of ZoneAlarm, run Malwarebytes regularly, use WOT, follow basic security rules regarding emails, downloads, etc. Should I be doing something, or installing something specific regarding trojans? They can be a real pain to get rid of as I'm sure you know:} Thanks.

Share this post


Link to post
Share on other sites

I suggest you consider purchasing MalwareBytes Pro so it is a active protection program.

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.