Jahewi's Anti-Malware Information
Spyberus-test 1 july 2006
I basically started this test the same way as the last one, but much more carefull.
This way, i had just a few infections (Trojan.DnsChange, adware.QuickLinks, adware.SBsoft, trojan.Sinowal.aa and Trojan.Small.gq)
This is the HijackThis-log with the infections
        Logfile of HijackThis v1.99.1
        Scan saved at 7:06:41, on 2-7-2006
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
        C:\Program Files\Robot Genius\Spyberus\RgView.exe
        C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
        C:\Program Files\ewido anti-spyware 4.0\guard.exe
        C:\WINDOWS\System32\wuauclt.exe
        C:\WINDOWS\System32\{941EF1B4-105A-4328-BF90-01D5688D4204}.exe
        C:\WINDOWS\System32\{738E4BCD-780C-479A-B0E8-E01F91E1DF3D}.exe
        C:\Documents and Settings\jahewi\Bureaublad\hijackthis\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
        O1 - Hosts: localhost 127.0.0.1
        O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
        O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{B68F4D94-9292-4325-9B19-D1E0414FB281}.dll
        O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
        O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{B68F4D94-9292-4325-9B19-D1E0414FB281}.dll
        O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
        O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
        O4 - HKLM\..\Run: [dmdvv.exe] C:\WINDOWS\System32\dmdvv.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
        O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
        O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
        O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
  http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151121794465
        O17 - HKLM\System\CCS\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
        O17 - HKLM\System\CCS\Services\Tcpip\..\{E23F6C27-C4AC-4F77-8179-F2ADC9A523A1}: NameServer = 85.255.115.83,85.255.112.206
        O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
        O17 - HKLM\System\CS1\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
        O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
        O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
        O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
        O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
and a screenshot of Spyberus, at that time
The clean up, i used Spyberus to remove the package.
It couldn't find a uninstaller and everything was removed by it, using it's own methodes.
After the removal was completed, Spyberus reported that it left some traces, wich weren't harmfull (it seems to do this every time that it has to remove stuff 'the hard way').
After this, the Installed Packages-list of Spyberus was empty.
A new HijackThis-log and a image of Internet Explorer, however, show that there are still some 'active' leftovers, though ... the SBSoft-toolbar is still in place (although, in HijackThis, it says "File Missing") and the dns-changes made by trojan.DnsChange are still in place.
        Logfile of HijackThis v1.99.1
        Scan saved at 8:56:56, on 2-7-2006
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
        C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
        C:\Program Files\ewido anti-spyware 4.0\guard.exe
        C:\Program Files\ewido anti-spyware 4.0\ewido.exe
        C:\Documents and Settings\jahewi\Bureaublad\hijackthis\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
        O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
        O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{B68F4D94-9292-4325-9B19-D1E0414FB281}.dll (file missing)
        O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
        O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{B68F4D94-9292-4325-9B19-D1E0414FB281}.dll (file         missing)
        O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
        O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
        O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
        O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
        O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
        http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151121794465
        O17 - HKLM\System\CCS\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
        O17 - HKLM\System\CCS\Services\Tcpip\..\{E23F6C27-C4AC-4F77-8179-F2ADC9A523A1}: NameServer = 85.255.115.83,85.255.112.206
        O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
        O17 - HKLM\System\CS1\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
        O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
        O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
        O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
        O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
As i was cleaned those traces and checking the computer for any other leftovers, i found some extra Favorites in Internet Explorer
Jahewi, july 4th 2006