Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

newbie with problem

Started by grateful , Jun 11 2006 11:25 AM

  • This topic is locked This topic is locked
18 replies to this topic

#1 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 11 June 2006 - 11:25 AM

I went into safe mode and deleted the atmclk file that i thought was causing all the problems, but I'm still getting pop-ups from IE. At the bottom I added the problems that McAffee keeps popping up with.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 2:15:07 PM, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130608026856
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexi32 - C:\WINDOWS\SYSTEM32\winexi32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Here is my MacAffee log file starting from a couple days before the problem started.

6/8/2006 5:31:56 PM Statistics:
6/8/2006 5:31:56 PM Files scanned: 1873
6/8/2006 5:31:56 PM Files detected: 0
6/8/2006 5:31:56 PM Files cleaned: 0
6/8/2006 5:31:56 PM Files deleted: 0
6/8/2006 5:31:56 PM Files moved: 0
6/8/2006 7:21:19 PM Engine version = 4.4.00
6/8/2006 7:21:19 PM DAT version = 4780
6/8/2006 7:21:19 PM Number of virus signatures in EXTRA.DAT = None
6/8/2006 7:21:19 PM Names of viruses that EXTRA.DAT can detect = None
6/9/2006 2:04:34 PM Engine version = 4.4.00
6/9/2006 2:04:34 PM DAT version = 4781
6/9/2006 2:04:34 PM Number of virus signatures in EXTRA.DAT = None
6/9/2006 2:04:34 PM Names of viruses that EXTRA.DAT can detect = None

6/10/2006 6:56:45 PM Statistics:
6/10/2006 6:56:45 PM Files scanned: 38522
6/10/2006 6:56:45 PM Files detected: 0
6/10/2006 6:56:45 PM Files cleaned: 0
6/10/2006 6:56:45 PM Files deleted: 0
6/10/2006 6:56:45 PM Files moved: 0
6/10/2006 6:58:33 PM Engine version = 4.4.00
6/10/2006 6:58:33 PM DAT version = 4781
6/10/2006 6:58:33 PM Number of virus signatures in EXTRA.DAT = None
6/10/2006 6:58:33 PM Names of viruses that EXTRA.DAT can detect = None

6/10/2006 6:59:07 PM Statistics:
6/10/2006 6:59:07 PM Files scanned: 48
6/10/2006 6:59:07 PM Files detected: 0
6/10/2006 6:59:07 PM Files cleaned: 0
6/10/2006 6:59:07 PM Files deleted: 0
6/10/2006 6:59:07 PM Files moved: 0
6/10/2006 7:00:32 PM Engine version = 4.4.00
6/10/2006 7:00:32 PM DAT version = 4781
6/10/2006 7:00:32 PM Number of virus signatures in EXTRA.DAT = None
6/10/2006 7:00:32 PM Names of viruses that EXTRA.DAT can detect = None

6/10/2006 11:07:57 PM Statistics:
6/10/2006 11:07:57 PM Files scanned: 7996
6/10/2006 11:07:57 PM Files detected: 0
6/10/2006 11:07:57 PM Files cleaned: 0
6/10/2006 11:07:57 PM Files deleted: 0
6/10/2006 11:07:57 PM Files moved: 0
6/10/2006 11:09:45 PM Engine version = 4.4.00
6/10/2006 11:09:45 PM DAT version = 4781
6/10/2006 11:09:45 PM Number of virus signatures in EXTRA.DAT = None
6/10/2006 11:09:45 PM Names of viruses that EXTRA.DAT can detect = None
6/10/2006 11:21:51 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TRDQXD80\mulbin32[1].exe Downloader-AUX (Trojan)
6/10/2006 11:21:57 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TRDQXD80\mulbin32[1].exe Downloader-AUX (Trojan)
6/10/2006 11:22:06 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TRDQXD80\wizp32[1].exe Generic StartPage.o (Trojan)
6/10/2006 11:22:09 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TRDQXD80\wizp32[1].exe Generic StartPage.o (Trojan)
6/10/2006 11:22:18 PM Deleted YOUR-RQRTH0AUDC\User win1A.tmp.exe C:\Program Files\Cowabanga\Cowabanga.exe Downloader-EV (Trojan)
6/10/2006 11:22:22 PM Deleted YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RS2XPW6J\srvjjo[1].exe Downloader-AUX (Trojan)
6/10/2006 11:24:02 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldD904.tmp FakeAlert-B (Trojan)
6/10/2006 11:27:00 PM Statistics:
6/10/2006 11:27:00 PM Files scanned: 2446
6/10/2006 11:27:00 PM Files detected: 16
6/10/2006 11:27:00 PM Files cleaned: 0
6/10/2006 11:27:00 PM Files deleted: 5
6/10/2006 11:27:00 PM Files moved: 0
6/10/2006 11:29:19 PM Engine version = 4.4.00
6/10/2006 11:29:19 PM DAT version = 4781
6/10/2006 11:29:19 PM Number of virus signatures in EXTRA.DAT = None
6/10/2006 11:29:19 PM Names of viruses that EXTRA.DAT can detect = None
6/10/2006 11:31:32 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldD0F5.tmp FakeAlert-B (Trojan)
6/10/2006 11:34:59 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvlfi[1].exe Downloader-AUX (Trojan)
6/10/2006 11:35:02 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvlfi[1].exe Downloader-AUX (Trojan)
6/10/2006 11:37:11 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvchc[1].exe Downloader-AUX (Trojan)
6/10/2006 11:37:14 PM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvchc[1].exe Downloader-AUX (Trojan)
6/10/2006 11:56:40 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldDFBE.tmp FakeAlert-B (Trojan)
6/11/2006 12:17:17 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvjkr[1].exe Downloader-AUX (Trojan)
6/11/2006 12:17:20 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvjkr[1].exe Downloader-AUX (Trojan)
6/11/2006 12:21:50 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldE5C3.tmp FakeAlert-B (Trojan)
6/11/2006 12:37:26 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvfxr[1].exe Downloader-AUX (Trojan)
6/11/2006 12:37:29 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvfxr[1].exe Downloader-AUX (Trojan)
6/11/2006 12:46:54 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldDBC9.tmp FakeAlert-B (Trojan)
6/11/2006 1:11:56 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldC9C0.tmp FakeAlert-B (Trojan)
6/11/2006 1:37:00 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldB84D.tmp FakeAlert-B (Trojan)
6/11/2006 1:37:43 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RS2XPW6J\srvxgf[1].exe Downloader-AUX (Trojan)
6/11/2006 1:37:46 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RS2XPW6J\srvxgf[1].exe Downloader-AUX (Trojan)
6/11/2006 2:02:03 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldAB09.tmp FakeAlert-B (Trojan)
6/11/2006 2:27:09 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldA4A9.tmp FakeAlert-B (Trojan)
6/11/2006 2:52:15 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld9F06.tmp FakeAlert-B (Trojan)
6/11/2006 3:17:18 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld8E01.tmp FakeAlert-B (Trojan)
6/11/2006 3:42:23 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld8656.tmp FakeAlert-B (Trojan)
6/11/2006 4:07:34 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld86D7.tmp FakeAlert-B (Trojan)
6/11/2006 4:32:38 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld84F6.tmp FakeAlert-B (Trojan)
6/11/2006 4:57:43 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld7E13.tmp FakeAlert-B (Trojan)
6/11/2006 5:22:46 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld6C96.tmp FakeAlert-B (Trojan)
6/11/2006 5:47:51 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld622D.tmp FakeAlert-B (Trojan)
6/11/2006 6:12:54 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld5490.tmp FakeAlert-B (Trojan)
6/11/2006 6:37:57 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld40CE.tmp FakeAlert-B (Trojan)
6/11/2006 7:02:59 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld2DA2.tmp FakeAlert-B (Trojan)
6/11/2006 7:28:01 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld1972.tmp FakeAlert-B (Trojan)
6/11/2006 7:53:06 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld918.tmp FakeAlert-B (Trojan)
6/11/2006 8:04:35 AM Not scanned (scan timed out) YOUR-RQRTH0AUDC\User explorer.exe C:\Documents and Settings\User\My Documents\Programs\World_Wind_1.3.1.1_Full.exe (Virus)
6/11/2006 8:18:09 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldFCCF.tmp FakeAlert-B (Trojan)

6/11/2006 8:27:46 AM Statistics:
6/11/2006 8:27:46 AM Files scanned: 129975
6/11/2006 8:27:46 AM Files detected: 74
6/11/2006 8:27:46 AM Files cleaned: 0
6/11/2006 8:27:46 AM Files deleted: 44
6/11/2006 8:27:46 AM Files moved: 0
6/11/2006 8:29:30 AM Engine version = 4.4.00
6/11/2006 8:29:30 AM DAT version = 4781
6/11/2006 8:29:30 AM Number of virus signatures in EXTRA.DAT = None
6/11/2006 8:29:30 AM Names of viruses that EXTRA.DAT can detect = None
6/11/2006 10:34:00 AM Engine version = 4.4.00
6/11/2006 10:34:00 AM DAT version = 4781
6/11/2006 10:34:00 AM Number of virus signatures in EXTRA.DAT = None
6/11/2006 10:34:00 AM Names of viruses that EXTRA.DAT can detect = None
6/11/2006 10:36:16 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldEFAA.tmp FakeAlert-B (Trojan)
6/11/2006 11:01:21 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldE8D1.tmp FakeAlert-B (Trojan)

6/11/2006 11:18:10 AM Statistics:
6/11/2006 11:18:10 AM Files scanned: 10278
6/11/2006 11:18:10 AM Files detected: 4
6/11/2006 11:18:10 AM Files cleaned: 0
6/11/2006 11:18:10 AM Files deleted: 4
6/11/2006 11:18:10 AM Files moved: 0
6/11/2006 11:19:46 AM Engine version = 4.4.00
6/11/2006 11:19:46 AM DAT version = 4781
6/11/2006 11:19:46 AM Number of virus signatures in EXTRA.DAT = None
6/11/2006 11:19:46 AM Names of viruses that EXTRA.DAT can detect = None
6/11/2006 11:22:04 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldDC57.tmp FakeAlert-B (Trojan)

6/11/2006 11:23:23 AM Statistics:
6/11/2006 11:23:23 AM Files scanned: 1236
6/11/2006 11:23:23 AM Files detected: 2
6/11/2006 11:23:23 AM Files cleaned: 0
6/11/2006 11:23:23 AM Files deleted: 2
6/11/2006 11:23:23 AM Files moved: 0
6/11/2006 11:34:39 AM Engine version = 4.4.00
6/11/2006 11:34:39 AM DAT version = 4781
6/11/2006 11:34:39 AM Number of virus signatures in EXTRA.DAT = None
6/11/2006 11:34:39 AM Names of viruses that EXTRA.DAT can detect = None
6/11/2006 11:36:55 AM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldF307.tmp FakeAlert-B (Trojan)
6/11/2006 11:44:17 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvsyj[1].exe Downloader-AUX (Trojan)
6/11/2006 11:44:20 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvsyj[1].exe Downloader-AUX (Trojan)
6/11/2006 11:46:23 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\D26A2OAH\srvmmk[1].exe Downloader-AUX (Trojan)
6/11/2006 11:46:26 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\D26A2OAH\srvmmk[1].exe Downloader-AUX (Trojan)
6/11/2006 11:48:29 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TRDQXD80\srvork[1].exe Downloader-AUX (Trojan)
6/11/2006 11:48:32 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TRDQXD80\srvork[1].exe Downloader-AUX (Trojan)
6/11/2006 11:50:36 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RS2XPW6J\srvnbu[1].exe Downloader-AUX (Trojan)
6/11/2006 11:50:39 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RS2XPW6J\srvnbu[1].exe Downloader-AUX (Trojan)
6/11/2006 11:52:42 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvagz[1].exe Downloader-AUX (Trojan)
6/11/2006 11:52:45 AM Move failed (Clean failed) YOUR-RQRTH0AUDC\User firefox.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KX2JRIOI\srvagz[1].exe Downloader-AUX (Trojan)
6/11/2006 12:01:57 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldDE5F.tmp FakeAlert-B (Trojan)
6/11/2006 12:26:59 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldC98F.tmp FakeAlert-B (Trojan)
6/11/2006 12:52:02 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldB7F4.tmp FakeAlert-B (Trojan)
6/11/2006 1:17:05 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ldA970.tmp FakeAlert-B (Trojan)
6/11/2006 1:42:08 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld950E.tmp FakeAlert-B (Trojan)
6/11/2006 2:07:11 PM Deleted NT AUTHORITY\SYSTEM winlogon.exe C:\WINDOWS\system32\1024\ld8391.tmp FakeAlert-B (Trojan)

Edited by grateful, 11 June 2006 - 11:26 AM.

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 June 2006 - 05:45 PM

Hello grateful, welcome to the forum


Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.



Download SmitRem.exe © noahdfear from one of these sites to your Desktop.
http://www.downloads...org/smitRem.exe
[url="http://noahdfear.geekstogo.com/click%20counter/click.php?id=1""]http://noahdfear.geekstogo.com/click%20cou....php?id=1"[/url]

Posted Image


Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop. Don't Run Yet.

Posted Image

Please download the trial version of ewido anti-malware 3.5. Install ewido anti-malware 3.5 and start the program from the icon on your desktop, then check for and download updates. Don't Run Yet.


Reboot to safe mode

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


logon to your user account.
Open the smitfraud folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. When the tool completes:

Posted Image


Open Ewido Security Suite
  • Then please run Ewido, click on the Scanner run a full scan and let
  • it clean everything it finds.
  • Once the scan has completed, there will be a button located on the bottom
  • of the screen named
  • Click Save report
  • Save the report to your desktop
In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

Empty recycle bin.


Reboot

"copy/paste" the contents of the log C:\smitfiles.txt a new HijackThis log and the Ewido log.
Also please describe how your computer behaves at the moment.

Please use the Posted Image Button below to reply. Thanks

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 11 June 2006 - 07:49 PM

Hello, I did all the things you outlined and my system now seems to run smoothly. I'm sure there's a next step, but thank you very much for your help so far. Attached are the smitsfile log file, HJT log file, and ewido log file.


smitRem © log file
version 3.0

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: 11/06/2006
The current time is: 21:05:31.82

Running from
C:\Documents and Settings\User\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

regperf.exe
simpole.tlb
stdole3.tlb
atmclk.exe
dcomcfg.exe
amcompat.tlb
nscompat.tlb
1024 dir
ld****.tmp
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 836 'explorer.exe'
Killing PID 836 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)

Logfile of HijackThis v1.99.1
Scan saved at 10:42:46 PM, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Azureus\Azureus.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130608026856
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexi32 - winexi32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:25:34 PM, 11/06/2006
+ Report-Checksum: 505D4EC9

+ Scan result:

HKU\S-1-5-21-154908667-4197605869-2767604956-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5345A7A1-805A-4923-B505-86B2FEBA3FE0} -> Adware.Generic : Cleaned with backup
[212] C:\WINDOWS\system32\winexi32.dll -> Trojan.Agent.vg : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\WINDOWS\system32\winexi32.dll -> Trojan.Agent.vg : Cleaned with backup


::Report End


Thanks again for you time and consideration!

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 June 2006 - 07:54 PM

Just one dead leftover

Run HijackThis and kill this one:

O20 - Winlogon Notify: winexi32 - winexi32.dll (file missing)



Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these programs I would recommend that you get them. Spywareblaster, Spywareguard. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 12 June 2006 - 05:34 AM

<giant sigh of relief> Okay, I'm starting to feel like the internet isn't all that evil anymore, thanks.
I made a new clean restore point. However, prior to doing the clean retore point thing I ran spybot and it found 2 red entries: windowsactivedesktop, winsoftware.winantiviruspro2006. Spybot cleaned both entries but I'm a still a little nervous about whether or not I have a truly clean restore point. Here is one more HJT log file.
Also, I currently have MacAffee running on my comp but have access to Sophos through school, is one better than the other. I only ask as MacAffee only detected problems as they arose this time and never found anything during scans.

Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 8:27:10 AM, on 12/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130608026856
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 June 2006 - 02:59 PM

Are you running Norton's Symantec and McAfee Anti-Virus?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 12 June 2006 - 03:17 PM

I don't actually have norton antivirus, some time ago I tried to download a pirated version of Norton off of torrentspy. It loaded to 99.9% and then crashed. Ever since then I haven't been able to get all the bits and pieces of Norton off of my system. I tried uninstalling it and that didn't work and so I made a mess of deleting as many files as I could find. I know, I know, I made a mess of it. Since then I found out that through one university I could get MacAffee for free and through another university I could get Sophos. Is this a big problem? Or should I just continue to be ignorant and blissful? Thanks.

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 June 2006 - 04:08 PM

There are FREE programs out there so there's never a need to try to steal one :thumbdown:

Having more then 1 AV can cause conflicts and lockups. Also keep in mind there's a difference between a Virus and spyware/malware. Most AV programs aren't going to pickup spyware/malware.

Note: This procedure will remove all Symantec products, not just Symantec AntiVirus.

1.Click on Start | Settings | Control Panel
2.In the control panel double-click on Add / Remove Programs
3.Look through the list of installed programs for any item that says either "Norton" or "Symantec" or "LiveUpdate". (for example "Symantec AntiVirus Corporate Edition" or "Norton AntiVirus 2000")
4.For each "Norton", "Symantec", or "LiveUpdate" item, select the item and click Add / Remove. Follow the instructions, and click Yes or Yes to all when prompted.
When you are done there should be no items in the list that say "Norton", "Symantec", or "LiveUpdate".
5.Click OK to close the Add / Remove Programs window.
6.Reboot your computer if it hasn't already automatically rebooted.
7.Delete the c:\Program Files\Symantec AntiVirus (or c:\Program Files\Norton) folder.
8.Delete the c:\Program Files\Symantec folder.
9.Delete the c:\Program Files\Common Files\Symantec Shared folder.



If uninstalling Symantec AntiVirus using Add / Remove Programs does not work, you can use the directions on this Symantec website to manually remove all elements of Symantec Antivirus from your computer.
http://service1.syma...src=bar_sch_nam

Post a new HijackThis log after you've finished the above and we'll see how the log is :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 13 June 2006 - 05:18 AM

Hey, I tried removing the symantec programs through add/remove and the add/remove program would freeze. After I right clicked it on the tasktray and closed it an error msg popped up saying error rundll32.exe

There are two programs that are symantec on the list in add/remove programs "Norton SystemWorks 2006" and "LiveUpdate 2.7 (Symantec Corporation)". As I said, trying to remove either froze the add/remove program.

I went to the website you linked above and was unable to find a file on how to remove SystemWorks 2006. I tried going through the site and searching for "SystemWorks 2006" "manual uninstallation" and was unsuccessful in my search.

I have also noticed that GBPoll.exe is always running in my running processes. I think this is GoBackPoll another Symantec product.


You are abosultely right, there are lot's of free programs out there that I am beginning to learn more about.

Thanks for the gentle scolding :oops:


Logfile of HijackThis v1.99.1
Scan saved at 8:04:17 AM, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130608026856
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperLite\DKService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 June 2006 - 03:56 PM

look at what's in the startup.

click Start> Run> type in Msconfig tap enter key.
look in the Startup. Uncheck everything that has Norton's or Symantec


After you uncheck it and rebooting, you'll be using Selective startup.
When you see the box popup that tells you that, just put a Check in the Box to not show that when you startup. That's how I run mine.

Let me know how it goes :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#11 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 June 2006 - 05:01 AM

Hey LDTate, all seemed to go well with your suggestions. There was nothing under the startup tab that said symantec or norton but there were several under the services tab. I unchecked all the ones I could find under the services tab.

Everything seems to be running smoothly now on my computer.

Thanks again for all of your help :)

Logfile of HijackThis v1.99.1
Scan saved at 7:54:02 AM, on 14/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130608026856
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperLite\DKService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 June 2006 - 02:01 PM

Good Job :thumbup:

Log looks good :D

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.



Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 June 2006 - 02:38 PM

Shoot! I haven't yet made a clean restore point because I'm not sure if the system is clean. MacAffee on-access scan popped up (twice) and gave me a message about a trojan. It happenned as I was doing an ewido scan (not sure if it was a coincidence), nothing turned up in ewido. Here are the last few MacAffee entries in the log. The last entries show the trojan. "Just when I thought I was out, they pull me back in!" 6/14/2006 8:47:23 AM Statistics: 6/14/2006 8:47:23 AM Files scanned: 3919 6/14/2006 8:47:23 AM Files detected: 0 6/14/2006 8:47:23 AM Files cleaned: 0 6/14/2006 8:47:23 AM Files deleted: 0 6/14/2006 8:47:23 AM Files moved: 0 6/14/2006 4:46:11 PM Engine version = 4.4.00 6/14/2006 4:46:11 PM DAT version = 4783 6/14/2006 4:46:11 PM Number of virus signatures in EXTRA.DAT = None 6/14/2006 4:46:11 PM Names of viruses that EXTRA.DAT can detect = None 6/14/2006 4:49:23 PM Engine version = 4.4.00 6/14/2006 4:49:23 PM DAT version = 4784 6/14/2006 4:49:23 PM Number of virus signatures in EXTRA.DAT = None 6/14/2006 4:49:23 PM Names of viruses that EXTRA.DAT can detect = None 6/14/2006 5:21:55 PM Deleted YOUR-RQRTH0AUDC\User SecuritySuite.e C:\WINDOWS\system32\c6bf4835.exe Generic Downloader.ab (Trojan) 6/14/2006 5:34:52 PM Deleted NT AUTHORITY\SYSTEM MsMpEng.exe C:\Documents and Settings\User\Local Settings\Application Data\c6bf4835.exe Generic Downloader.ab (Trojan)

Edited by grateful, 14 June 2006 - 02:43 PM.

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 June 2006 - 02:46 PM

Do a search and delete everything named c6bf4835

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#15 grateful

grateful

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 June 2006 - 03:18 PM

Searched for c6bf4835 for all files and folders and nothing turned up. MacAffee poped up again with a trojan that came out of Hijack This backup log (see bottom). 6/14/2006 8:47:23 AM Statistics: 6/14/2006 8:47:23 AM Files scanned: 3919 6/14/2006 8:47:23 AM Files detected: 0 6/14/2006 8:47:23 AM Files cleaned: 0 6/14/2006 8:47:23 AM Files deleted: 0 6/14/2006 8:47:23 AM Files moved: 0 6/14/2006 4:46:11 PM Engine version = 4.4.00 6/14/2006 4:46:11 PM DAT version = 4783 6/14/2006 4:46:11 PM Number of virus signatures in EXTRA.DAT = None 6/14/2006 4:46:11 PM Names of viruses that EXTRA.DAT can detect = None 6/14/2006 4:49:23 PM Engine version = 4.4.00 6/14/2006 4:49:23 PM DAT version = 4784 6/14/2006 4:49:23 PM Number of virus signatures in EXTRA.DAT = None 6/14/2006 4:49:23 PM Names of viruses that EXTRA.DAT can detect = None 6/14/2006 5:21:55 PM Deleted YOUR-RQRTH0AUDC\User SecuritySuite.e C:\WINDOWS\system32\c6bf4835.exe Generic Downloader.ab (Trojan) 6/14/2006 5:34:52 PM Deleted NT AUTHORITY\SYSTEM MsMpEng.exe C:\Documents and Settings\User\Local Settings\Application Data\c6bf4835.exe Generic Downloader.ab (Trojan) 6/14/2006 5:54:00 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM MsMpEng.exe C:\Documents and Settings\User\My Documents\Programs\World_Wind_1.3.1.1_Full.exe (Virus) 6/14/2006 5:54:23 PM Deleted NT AUTHORITY\SYSTEM MsMpEng.exe C:\HJT\backups\backup-20060611-081248-421.dll Puper.dll (Trojan) 6/14/2006 6:23:09 PM Deleted NT AUTHORITY\SYSTEM MsMpEng.exe C:\System Volume Information\_restore{002BB4B0-C7AB-4917-8306-BD2A7DD1C21C}\RP12\A0002306.exe Generic Downloader.ab (Trojan) 6/14/2006 6:23:10 PM Deleted NT AUTHORITY\SYSTEM MsMpEng.exe C:\System Volume Information\_restore{002BB4B0-C7AB-4917-8306-BD2A7DD1C21C}\RP12\A0002313.exe Generic Downloader.ab (Trojan) 6/14/2006 6:23:11 PM Deleted NT AUTHORITY\SYSTEM MsMpEng.exe C:\System Volume Information\_restore{002BB4B0-C7AB-4917-8306-BD2A7DD1C21C}\RP12\A0002332.dll Puper.dll (Trojan)

Edited by grateful, 14 June 2006 - 03:32 PM.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·