Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Trojan Virus Infection

Started by eharri2 , Mar 02 2007 12:54 PM

  • This topic is locked This topic is locked
7 replies to this topic

#1 eharri2

eharri2

    Authentic Member

  • Authentic Member
  • PipPip
  • 63 posts

Posted 02 March 2007 - 12:54 PM

Hey guys,
I recently posted under Computer Help, and after posting my HijackThis Log, someone noticed that I possibly do have a Trojan Virus on my comptuer, which is definitely not good at all. Anyways, here's a list of my running process as seen on HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:01 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.co...InstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151965044906
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks for the help. It's very much appreciated.

- eharri2

    Advertisements

Register to Remove

#2 ourwilly

ourwilly

    Authentic Member

  • Authentic Member
  • PipPip
  • 96 posts

Posted 03 March 2007 - 09:56 AM

Hello eharri2

Copy and Paste this post into a new text document

Step 1

Download AVG Anti-Spyware 7.5

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close AVG AS.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!


Scan with HijackThis again and place a checkmark in the boxes before the following entries:

O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll

Close any Explorer windows which may be open and click the "Fix Checked" button.



Step 2

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Double-click on My Computer, Double-click on Local Disk
and navigate to then Right Click on and Delete this Bold file

C:\WINDOWS\SYSTEM32\winhdn32.dll

Reopen AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the AVG Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 3

Please Re-Scan with Hijack This and post

1/ The new HijackThis log
2/ The AVG Anti-Spyware 7.5 Report-Scan.txt

Also like to ask for information on the Symantec entry that is showing in this log

Thank you.
A Cooperative Effort with WhatTheTech

Please do not PM me asking for support. Post on the forums instead
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 eharri2

eharri2

    Authentic Member

  • Authentic Member
  • PipPip
  • 63 posts

Posted 06 March 2007 - 06:27 PM

Hey ourwilly,
Here's both the HijackThis log and the AVG Anti-Spyware report,

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:09:09 PM 3/6/2007

+ Scan result:



:mozilla.179:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.36:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.37:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.38:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.39:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.40:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.10:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.142:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.143:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.144:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.145:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.146:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.74:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.76:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.77:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.78:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.178:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.42:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.159:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.177:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.132:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.133:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.41:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Evan Harrington\Cookies\evan_harrington@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.43:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.44:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.48:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.49:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.52:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.166:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.167:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.168:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.169:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.170:C:\Documents and Settings\Evan Harrington\Application Data\Mozilla\Firefox\Profiles\mum5dd33.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 6:14:56 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.co...InstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151965044906
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Honestly, I have no idea what that Symantec file is since I deleted Norton Antivirus a while ago. It could be the remnants of the Norton folder, but I sincerely doubt that this is the case, since I deleted all the folders and files of Norton. What do you think it is? Do you think it's a virus or possibly malware?

Thanks,
eharri2

#4 ourwilly

ourwilly

    Authentic Member

  • Authentic Member
  • PipPip
  • 96 posts

Posted 07 March 2007 - 02:28 AM

eharri2

Sorry to keep you waiting..

Step 1

Do you think it's a virus or possibly malware?

No! it Norton

Click on: Start > Run and type in: services.msc Click OK
In the Services window find:

Symantec Lic NetConnect service

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Re-scan with "HijackThis" and Fix this line
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)


Then Navigate to and Delete this "bold" folder ( if found )
C:\Program Files\Common Files\Symantec Shared


Step 2

Go to Start | Control Panel | Add/Remove Programs and Uninstall:

any item with Java Runtime Environment (JRE) in the name

Restart the computer.

Now CLICK HERE select the Download button next to "Java Runtime Environment (JRE) 6"
"Accept" the License Agreement Then choose the First download link "Windows Offline Installation, Multi-language".
Please note - You must Install this version Offline.


Step 3

Re-scan and post a new HijackThis log
and please let me know how your system is running

Thank you.
A Cooperative Effort with WhatTheTech

Please do not PM me asking for support. Post on the forums instead
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 eharri2

eharri2

    Authentic Member

  • Authentic Member
  • PipPip
  • 63 posts

Posted 07 March 2007 - 11:55 AM

Hey ourwilly,
Alrite, so I did all of the things you requested and just installed Java Runtime Environment (JRE) 6. However, when I was installing it, in my task manager, I noticed that there were about five of these msiexec.exe popping up. Then, Bullguard asked me if I wanted to let C:Windows\System32\msiexec.exe have network access, and I didn't know if it was a virus or not, so I clicked no. Other than that my computer is running fine. Here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:07 AM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.co...InstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151965044906
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Sincerely,
eharri2

#6 eharri2

eharri2

    Authentic Member

  • Authentic Member
  • PipPip
  • 63 posts

Posted 07 March 2007 - 12:14 PM

By the way, should svchost.exe have access to the internet?

#7 ourwilly

ourwilly

    Authentic Member

  • Authentic Member
  • PipPip
  • 96 posts

Posted 08 March 2007 - 02:23 AM

Hello eharri2

Clean your Cache and Cookies in Firefox :
Go to Tools > Options. Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking "Clear All".
A confirmation dialog box will be shown before clearing the information.

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content",
(You will have to re-enter passwords at websites that require them.)
Click OK

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Regarding svchost.exe have a look at This thread
and it isn't necessary to allow msiexec 'net access, but it might be useful to to so,
because it will automatically check for updates for the program it is installing.

Can you please let me know how your system is running now

Thank you.
A Cooperative Effort with WhatTheTech

Please do not PM me asking for support. Post on the forums instead
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 24 March 2007 - 08:31 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·