TR/swizzor

Discussion in 'Malware Help (A Specialist Will Reply)' started by BadMONKEYgirl, Apr 18, 2006.

  1. BadMONKEYgirl

    BadMONKEYgirl Private E-2

    Greetings,

    Problem: Anti-Vir continues to find the trojan TR/swizzor.A in various .exe files in my documents and settings on my c: drive.


    Steps taken:

    First I tried the options Anit-vir gave me (deny acess, quarentine, delete, etc. all except "ignore") but the message kept coming back after I'd kept working for a while. So I turned to Major Geeks.

    I read and ran "READ AND RUN ME FIRST" but I am still having problems.

    First let me say that I was not able to run bitdefender or panda, I used IE but the button to agree to the terms for bitdefender was not really a link but an image and panda, well I left panda saying it was running over night and in the morning it still said it was running, I assumed it was mistaken and didn't bother too much because the instructions said to run bitdefender before panda anyway.

    After running HiJack This I tried to followed the instructions in the thread about hjt logs describing what each line means and which ones to fix.

    The problem persists.

    I will post my logfile for hjt

    System: Windows XP, SP2.
    Configuration: C: drive with operating system (temporary files saved here by defautl)

    E: Drive with my documents (no trojans on this drive)

    speculation about cause:

    Generally I use FireFox as my browser. Right before I had this problem I was using IE to preview a website I'm building. In my mind using IE is like sleeping with a prostitute: you never know what you're gonna get.

    final note:

    I consider myself to be on the lower end of intermediate when it comes to knowledge about my system.
    I hope I've given you all the information needed and I look forward to learning something in the process of ridding myself of this evil trojan.

    Thanks,
    BadMonkeygirl
    aka Thebigbadassmonkeyman
    aka Liz
     

    Attached Files:

    BadMONKEYgirl, Apr 18, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    First a couple of questions. I see pieces of Symantec still install but you are running AntiVir. I see the below:

    O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\SymProxySvc.exe (file missing)
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Did you uninstall all of Symantec Software?

    I see no reason in your HJT log that would indicate a reason for not being able to run the online scans. In addition your HJT log does not show any major issues just a couple of minor problems we will fix. You really need to try to run the online scans. If you cannot run them, you will have to run a couple other local scans.

    Are the below for something you installed? It seems broken based on the 023 service entry and that does not seem to be a valid location for the service to be installed.
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

    Is the below you valid start page:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nakedsimian.com/tmeplate.html



    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [defy tray eq mp3] C:\Documents and Settings\All Users.WINDOWS\Application Data\Atom Find Defy Tray\forklocks.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Atom Find Defy Tray <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    If you are still having problems and still cannot run the online scanners from step 6 of the READ ME then run the below and attach the Ewido log.

    Running Ewido Anti-Malware
     
    chaslang, Apr 18, 2006
    #2
  3. BadMONKEYgirl

    BadMONKEYgirl Private E-2

    Hi.
    Here's the latest

    I am able to view hidden files and folders, but didn't see anything from symantec in my program files, but I went into add and remove programs and there was a "Norton WMI" which I removed.

    Either I downloaded the MySQL program when I downloaded phpbb earlier this month, or I downloaded it prior to that when I was going to try to build my own database, and I deleted the setup file.

    The start page for IE is correct.

    I was able to make the manual deletions in safe mode and I was able to run the online scans when I logged back on in normal mode.

    Lastly I made a new hijackThis log.

    All three logs are attached.

    So far, I havn't recieved any more error messages about the trojan.
     

    Attached Files:

    BadMONKEYgirl, Apr 18, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay delete the below (use safe mode if necessary):

    C:\Documents and Settings\liz\Application Data\1 Download Funk <--- the whole folder

    Is Build Soft Audio a valid application folder? If not then delete the whole Build Soft Audio folder. Otherwise delete the individual files listed below.
    C:\Documents and Settings\liz\Application Data\Build Soft Audio\plan new.exe
    C:\Documents and Settings\liz\Application Data\Build Soft Audio\hrcvxocs.exe
    C:\Documents and Settings\liz\Application Data\Build Soft Audio\tjwflwxr.exe


    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 19, 2006
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds