Free Malware Removal Forum

[Jthomson]

Hi all:

I am at my wits end. Despite all my standard precautions (using MacAfee AND Zone Alarm personal firewalls, regularly scanning for spyware with Spybot and Counter Spy, and weekly full system scans with Norton AV), this turgid malware has infected my computer and I can't remove it. It constantly pops up (especially when I do a Google search on "Winfixer"), has noticeably slowed down my laptop AND has somehow disabled standby: whenever I put the laptop into standby, it powers down, screen goes blank and then... it powers back up within 5 seconds.

Any help will be sooooo appreciated.

Thanks in advance - john

Below is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:33 AM, on 9/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Pilot Software\BusinessAnalyzer\lssagent.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Urchin\bin\urchind.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\DOCUME~1\ALANGS~1\LOCALS~1\Temp\2005910235529_mcinfo.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINNT\system32\vtuts.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ALANGS~1\LOCALS~1\Temp\2005910235529_mcinfo.exe /insfin
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {08C818C3-2F1E-11D0-9223-00A0244D2920} (ChartFX IE Client Object) - http://213.131.167.220/download/cfxax.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E2} (ShowSetupObj2 Class) - http://invite.mshow.com/ShowSetup2.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://camnet.abtassoc.com/iNotes.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.softwarefx.com/download/CfxIEAx.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.placeware.com/etc/pla ... silver.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/15e6aab0a0797bb28e ... /RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6410248845
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
O16 - DPF: {BC57DAFD-FB14-11D6-BF35-00E09876DF26} (WebTrainConference.WTConference) - http://www.webtrain.com/websay/cabs/WTConference.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_11) - http://demo.webtrends.com/j2re-1_3_1_11 ... i586-i.exe
O16 - DPF: {CFA44F1B-7EAA-11D6-BF31-00E0987495A5} (WebTrainMeeting.WTMeeting) - http://www.webtrain.com/websay/forum/WTMeeting.CAB
O16 - DPF: {DAD95622-FC83-11D6-BF35-00E09876DF26} (WTRecording.WTPlayer) - http://www.webtrain.com/websay/cabs/WTPlayer.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://marqui.webex.com/client/v_myweb ... eatgpc.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify204.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ccpa.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ccpa.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ccpa.local
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: vtuts - C:\WINNT\system32\vtuts.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pilot Listener (lssagent) - Unknown owner - C:\Program Files\Pilot Software\BusinessAnalyzer\lssagent.exe
O23 - Service: MSTaskMgr - Unknown owner - c:\progra~1\Microsoft\Update\DLL\tk\FireDaemon.EXE (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: rundll (Rundll) - Unknown owner - c:\progra~1\Microsoft\Update\DLL\tk\FireDaemon.EXE (file missing)
O23 - Service: Urchin Scheduler (urchind) - Unknown owner - C:\Program Files\Urchin\bin\urchind.exe
O23 - Service: Urchin Webserver (UrchinWebserver) - Unknown owner - C:\Program Files\Urchin\bin\urchinwebd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Pilot Extended Listener (WebXi) - WebXi, Inc. - C:\Program Files\Pilot Software\BusinessAnalyzer\internet\webengdb.exe

[D_Trojanator]

Hello

Welcome to MWR:) . I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....

• Reply to this thread. Do not start a new topic.
• If you are unsure of what to do, stop and ask! Don't keep going on.
• Be patient. HijackThis logs take some time to research.

Please note the following:

• I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
• The process may take considerable time.

David

[Jthomson]

David -

Thank you for your reply. I will check this forum regularly and look very much forward to working together to resolve this issue.

Again, much appreciate your help in advance.

cheers,

John

[D_Trojanator]

As a trainer i have to get the fix checked.
Will be back a.s.ap
DAvid

[D_Trojanator]

Hi, my name is David!

Important: Create a folder on the C: drive called C:\HJT\

• You can do this by opening My Computer, then double clicking on C:, right click and select New then Folder and name it HJT.
  
• Unzip HijackThis into this folder.
  
• Please delete the old copy of HJT (and the zip copy(s)) so it can't be used.
  
• If required, look at this Hijackthis Folder Tutorial

----------------------------

You are using two firewalls at the same time which is a No-NO! You have both McAfee and Zone Alarm; please remove one of them.
----------------------------

Let's deal with Vundo first!Please print these instructions out for use in Safe Mode.

----------------------------
Disable CounterSpy
1. Right-click the running icon of CounterSpy in the sytem tray.
2. With your mouse, hover over Active Protection Status (This should be enabled).
3. A menu will slide out and then you need to right click on "Disable Active Protection."
----------------------------

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  

• At this point press enter one time.
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINNT\system32\vtuts.dll
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• Next you will see:
  

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINNT\system32\stutv.*
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• The fix will run then HijackThis will open.
• In HijackThis, please place a check next to the following items and click FIX CHECKED:
  
  O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINNT\system32\vtuts.dll
  
  O16 - DPF: {08C818C3-2F1E-11D0-9223-00A0244D2920} (ChartFX IE Client Object) - http://213.131.167.220/download/cfxax.cab
  
  O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E2} (ShowSetupObj2 Class) - http://invite.mshow.com/ShowSetup2.dll
  
  O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.softwarefx.com/download/CfxIEAx.cab
  
  O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.placeware.com/etc/place/INDIA/SCIpws-
  a2/5.1.5.222/lib/quicksilver.cab
  
  O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/15e6aab0a0797bb28e ... /RdxIE.cab
  
  O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
  
  O20 - Winlogon Notify: vtuts - C:\WINNT\system32\vtuts.dll
  
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

David

[Jthomson]

Hi David -

First things first: my *THANKS* to you and all those at this forum who helped out on this problem. It is really appreciated. I hope to be rid of this malicious stuff soon.

I followed your instructions to the letter, starting with uninstalling McAfee firewall (now have just ZA). I am posting the results of each of the scans/logs below in the following order: ActiveScan log; HJT log; VundoFix log.


Incident Status Location

Adware:adware/sidestep No disinfected C:\DOCUMENTS AND SETTINGS\ALANGSHUR\START MENU\SideStep.lnk
Adware:Adware/SideStep No disinfected C:\WINNT\Downloaded Program Files\SbCIe028.dll
Virus:Trojan Horse Disinfected C:\WINNT\Damage\proxylist.txt


Logfile of HijackThis v1.99.1
Scan saved at 7:35:26 AM, on 9/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Pilot Software\BusinessAnalyzer\lssagent.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Urchin\bin\urchind.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\DOCUME~1\ALANGS~1\LOCALS~1\Temp\2005910235529_mcinfo.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ALANGS~1\LOCALS~1\Temp\2005910235529_mcinfo.exe /insfin
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://camnet.abtassoc.com/iNotes.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 6534849709
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6410248845
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BC57DAFD-FB14-11D6-BF35-00E09876DF26} (WebTrainConference.WTConference) - http://www.webtrain.com/websay/cabs/WTConference.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_11) - http://demo.webtrends.com/j2re-1_3_1_11 ... i586-i.exe
O16 - DPF: {CFA44F1B-7EAA-11D6-BF31-00E0987495A5} (WebTrainMeeting.WTMeeting) - http://www.webtrain.com/websay/forum/WTMeeting.CAB
O16 - DPF: {DAD95622-FC83-11D6-BF35-00E09876DF26} (WTRecording.WTPlayer) - http://www.webtrain.com/websay/cabs/WTPlayer.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://marqui.webex.com/client/v_myweb ... eatgpc.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify204.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ccpa.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ccpa.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ccpa.local
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pilot Listener (lssagent) - Unknown owner - C:\Program Files\Pilot Software\BusinessAnalyzer\lssagent.exe
O23 - Service: MSTaskMgr - Unknown owner - c:\progra~1\Microsoft\Update\DLL\tk\FireDaemon.EXE (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: rundll (Rundll) - Unknown owner - c:\progra~1\Microsoft\Update\DLL\tk\FireDaemon.EXE (file missing)
O23 - Service: Urchin Scheduler (urchind) - Unknown owner - C:\Program Files\Urchin\bin\urchind.exe
O23 - Service: Urchin Webserver (UrchinWebserver) - Unknown owner - C:\Program Files\Urchin\bin\urchinwebd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Pilot Extended Listener (WebXi) - WebXi, Inc. - C:\Program Files\Pilot Software\BusinessAnalyzer\internet\webengdb.exe




Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 132 'smss.exe'
Threads [128][136][140][148][144][152]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 180 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


Again, my sincere thanks David.


John

[D_Trojanator]

Please download ewido security suite (free), and instal it.

• When installing, under Additional Options uncheck both Install background guard and Install scan via context menu.
• When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
• The program will prompt you to update. Click the Ok button.
• The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update button.
• Click on Start. The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido. Do NOT run it yet.

(If you have problems updating, you can use this link to manually update Ewido.
Make sure that Ewido is closed when installing the update.)

DO NOT RUN IT YET!

---------------------------------------------------------------------------------

CleanUp!

*Download Cleanup from Here

• A window will open and choose SAVE, then DESKTOP as the destination.
• On your Desktop, click on Cleanup40.exe icon.
• Then, click RUN and place a checkmark beside "I Agree"
• Then click NEXT followed by START and OK.
• A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
• Click OK
• DO NOT RUN IT YET!

---------------------------------------------------------------------------------

Once you have downloaded both programs........

• To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
  Please close ALL open Windows, Programs and Folders, and run a full scan with Ewido.
  • Click on Scanner
  • Click on Settings
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.
  
  Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
  Close Ewido.
  
  
  * Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.

------------

Please post a new HJT log
David

[NonSuch]

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.