Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackThis log! June 12

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby hrdcover » July 19th, 2005, 10:21 am

The virus list alone is way too big to post. Here is the summary:

Tue Jul 19 05:55:22 2005 => ***** Scanning complete. *****
Tue Jul 19 05:55:22 2005 => Total Objects Scanned: 247505
Tue Jul 19 05:55:22 2005 => Total Virus(es) Found: 2571
Tue Jul 19 05:55:22 2005 => Total Disinfected Files: 0
Tue Jul 19 05:55:22 2005 => Total Files Renamed: 0
Tue Jul 19 05:55:22 2005 => Total Deleted Objects: 0
Tue Jul 19 05:55:22 2005 => Total Errors: 24
Tue Jul 19 05:55:22 2005 => Time Elapsed: 06:09:00
Tue Jul 19 05:55:22 2005 => Virus Database Date: 2005/06/24
Tue Jul 19 05:55:22 2005 => Virus Database Count: 136182

Most of the 2571 virus entries appear to taken up by repeated Norton quarantines and multiple occurrences at what appears to be restore points (example: File C:\System Volume Information\_restore{B315DD6C-E9C9-4CC1-8D9F-67F87E6AC756}\RP169\A0056616.exe infected by "Trojan-Clicker.Win32.Agent.db" Virus! Action Taken: No Action Taken.)

If I exclude the Norton and System Restore occurrences, the log looks like this:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\RxSBDViewEx.SBDGroupCtrl" refers to invalid object "{7495CF57-E208-4DF0-A8C5-9E17ECC51490}". Action Taken: No Action Taken.
Entry "HKCR\RxSBDViewEx.SBDGroupCtrl.1" refers to invalid object "{7495CF57-E208-4DF0-A8C5-9E17ECC51490}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\epx30104.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\plgwkaeg05.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinStat11.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\yqssr.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\PATNOA~1.DEL\LOCALS~1\Temp\GLB1A2B.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\BitTorrent-4.0.1.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\cs1005.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\Downloads\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\180sainstaller.exe tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\Del50.tmp infected by "Trojan-Downloader.Win32.Small.asf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\Del5A.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\res51.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temporary Internet Files\Content.IE5\4FWH6H0N\ADL[1].CHM infected by "Trojan-Downloader.VBS.Psyme.x" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Pat Noah.DELL1\Local Settings\Temp\GLB1A2B.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Pat Noah.DELL1\My Documents\Downloads\aawseplus.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Pat Noah.DELL1\My Documents\Downloads\HomeBase23EN.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\HiJackThis\backups\backup-20050613-202216-455.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.
File C:\Program Files\Ad-Aware Personal\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\HomeBase\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\Iomega Sync\SystemFiles\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Plus\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\CM\CMInstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\TDM\TDMInstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Valve\Steam\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Valve\Steam\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Sierra\Counter-Strike\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\steaminstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Installations\{88266266-0127-42AE-808C-72184529845B}\Iomega Sync.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx infected by "Trojan-Downloader.Win32.Lastad.p" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.b. No Action Taken.
File C:\WINDOWS\Installer\e082f31.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\epx30104.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\plgwkaeg05.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinStat11.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\yqssr.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\BitTorrent-4.0.1.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\cs1005.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\Downloads\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\180sainstaller.exe tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\Del50.tmp infected by "Trojan-Downloader.Win32.Small.asf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\Del5A.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temp\res51.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Hallie Noah\Local Settings\Temporary Internet Files\Content.IE5\4FWH6H0N\ADL[1].CHM infected by "Trojan-Downloader.VBS.Psyme.x" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Pat Noah.DELL1\Local Settings\Temp\GLB1A2B.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Pat Noah.DELL1\My Documents\Downloads\aawseplus.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Pat Noah.DELL1\My Documents\Downloads\HomeBase23EN.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\HiJackThis\backups\backup-20050613-202216-455.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.
File C:\Program Files\Ad-Aware Personal\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\HomeBase\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\Iomega Sync\SystemFiles\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Plus\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\CM\CMInstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\TDM\TDMInstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Valve\Steam\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Valve\Steam\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Sierra\Counter-Strike\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\steaminstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Installations\{88266266-0127-42AE-808C-72184529845B}\Iomega Sync.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx infected by "Trojan-Downloader.Win32.Lastad.p" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.b. No Action Taken.
File C:\WINDOWS\Installer\e082f31.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\epx30104.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\plgwkaeg05.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinStat11.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\yqssr.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage
Advertisement
Register to Remove

Unread postby Bertha » July 22nd, 2005, 1:08 pm

Hi hrdcover,

wng will be away for a while, so Ill be helping you if thats ok, Please bear with me while I just read through the past few pages :D

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby hrdcover » August 9th, 2005, 10:05 am

It's been awhile, so thought I should update. I went ahead and purchased MWav, ran it and allowed it to delete files as indicated. As suspected, there was a virus in the restore folder. In addition, Norton has found but cannot remove C:\WINDOWS\System32\hclean32.exe trojan horse. Norton regularly detects this program attempting to launch, cannot delete it but does block it.

Here is an updated HJT log as well as the last (Aug 7) MWav log info:

Logfile of HijackThis v1.99.1
Scan saved at 5:55:46 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\readerware.exe
C:\Program Files\USPSShippingAssistant\AutoShippingAPI.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [plgwk] C:\WINDOWS\System32\plgwk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/defaul ... Loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA575D31-8FC4-407F-9EAB-525AD6A5F096}: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\BitTorrent-4.0.1.exe tagged as not-a-virus:RiskTool.Win32.Processor.1001. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\cs1005.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\Downloads\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:RiskTool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\Sierra\Counter-Strike\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\System Volume Information\_restore{B315DD6C-E9C9-4CC1-8D9F-67F87E6AC756}\RP238\A0154969.exe infected by "Trojan.Win32.Qhost.qr" Virus! Action Taken: File Deleted.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.b. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\BitTorrent-4.0.1.exe tagged as not-a-virus:RiskTool.Win32.Processor.1001. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\cs1005.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Documents and Settings\Alec Noah\Desktop\GOOD STUFF\Downloads\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:RiskTool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\Sierra\Counter-Strike\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.b. No Action Taken.
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby Blender » August 9th, 2005, 3:15 pm

Hi hrdcover and welcome :)

Wng asked me to pop in here cus he is in the process of moving.

hclean32.exe that Norton is detecting has several super hidden files associated with it. Bit hard to find but I think between us we can. :)

Need another log to help me tho.

Please download Silent Runners from here:

http://www.silentrunners.org/Silent%20Runners.vbs

You can save it to your desktop.

Double click Silent runners.vbs, answer yes to its prompt & OK.
When Norton warns you of possible malicious script; please "authorize it". It is not malicious and makes no changes to system.

It will take a few minuites to complete scan and tells you when done.
It will drop a log in same folder you saved the app to. If on desktop; log is on desktop. (called "Startup Programs + computername + date")

Please post its contents.

Try to stay offline if not actually working on computer. I dont want this downloading more junk to your system.

Thanks :)

Blender
Blender
Regular Member
 
Posts: 140
Joined: March 3rd, 2005, 4:11 am

Unread postby Blender » August 9th, 2005, 3:19 pm

ps. I may get kicked offline tonight cus we have a real nasty thunderstorm on the way. I should be back at latest in the morning. (EST)
Blender
Regular Member
 
Posts: 140
Joined: March 3rd, 2005, 4:11 am

Unread postby hrdcover » August 10th, 2005, 2:36 am

Thanks very much. Here is the Silent Runners file:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"AcctMgr" = "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"plgwk" = "C:\WINDOWS\System32\plgwk.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll" [MS]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll" ["Sonic Solutions"]
"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Disc Image Loader\DC_ShellExt.dll" ["Sonic Solutions"]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cszqx.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Pat Noah" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"Kodak software updater" -> shortcut to: "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Pat Noah" -> launches: "C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"RoxioUpdator" -> launches: "C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe /scheduler" ["Sonic Solutions"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll" [MS]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE" ["Symantec Corporation"]
Iomega Active Disk, _IOMEGA_ACTIVE_DISK_SERVICE_, ""C:\Program Files\Iomega\AutoDisk\ADService.exe"" ["Iomega Corporation"]
Iomega App Services, Iomega App Services, ""C:\PROGRA~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"]
ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 229 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 34 seconds.
---------- (total run time: 326 seconds)
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby Blender » August 10th, 2005, 8:08 pm

Hi

My apolagies for taking so long. We got hit by a real vicious storm and power & internet were knocked out.

Couple tools we will need.

Download hoster from here:

http://www.funkytoad.com/download/hoster.zip

Save the file and unzip it. don't run it yet.

Downbload Pocket Killbox by Option^Explicit from here:

http://www.bleepingcomputer.com/files/s ... illBox.zip

Save it, unzip it but don't run it yet.

Copy the following text inside the code box to a new notepad file.
Save as file name fix.reg
As file types all files
Save it to your desktop but don't run it yet.

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plgwk"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""


*******

Please copy remainder of instructions to notepad or print them out.

Please close any open programs cus we will be rebooting shortly.

Open killbox.exe
Click the "delete on reboot" checkbox.
Paste this into the "full path of file to delete" box:

C:\windows\system32\hclean32.exe

Hit the red button with white X
Answer yes to delete file
Answer No to reboot.

Paste this into the "full path of file to delete" box:

C:\WINDOWS\System32\plgwk.exe

Hit the red button with white X
Answer yes to delete file
Answer No to reboot.


Paste this into the "full path of file to delete" box:

C:\Windows\system32\cszqx.exe

Hit the red button with white X
Answer yes to delete file

Answer YES to reboot.



Allow computer to reboot.

Turn off your Ad-Watch so it does not interfere with our fix.


Double click "fix.reg" I had you make earlier.
Allow contents to be added to registry.
Should get success messege.

Double click "hoster.exe" you downloaded earlier.
Click "restore origional hosts"
You should get success messege.

Start hijackthis, run system scan only and check (if present):

O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [plgwk] C:\WINDOWS\System32\plgwk.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
<--If you did not set this with spybot

O17 - HKLM\System\CCS\Services\Tcpip\..\{BA575D31-8FC4-407F-9EAB-525AD6A5F096}: NameServer = 69.50.176.157,85.255.112.6

close all open windows and hit "fix checked"

Reboot computer again.

Please post:

New hijackthis log
New Silent Runners log

Also; because there will be a few other files/reg keys involved we need to look for the rest.
Needs a couple other tools.


Download rand1038 registry search tool
http://tomcoyote.org/rand1038/vbscript/RegScan.zip
Extract the file run RegScan.vbs paste in the bolded below, wait for a text to open and post the results

Note: Your antivirus script protection might interfear, its safe, please allow it to run.

cssfy.exe,dmxsi.exe,HCLEAN32.EXE,ruins,2A061BD4-3854-4A0A-B985-13B7475AADFE

Then.....

Download FindT from here:

http://forums.net-integration.net/index ... &id=154246

Unzip it to C:\

Open the folder and run the .bat inside (the one with gear on it)

Wait a few seconds....

Post results of log. Please don't delete anything found by these tools. Some items can very well be safe.

Thanks :)

<<Edit>> When you have rebooted after running the fix.reg, hoster.exe and hijackthis fix; ad-watch will likely warn you of deletions and hosts file change. Please allow them.
Blender
Regular Member
 
Posts: 140
Joined: March 3rd, 2005, 4:11 am

Unread postby hrdcover » August 10th, 2005, 11:40 pm

Everything done through running new HJT, Silent Runners logs. Note that on re-boot after running Killbox Norton popped up a message "New Network Detected" and asks me to select a location (home, office, etc.) to join this network. Details were Gateway IP Address: 69.178.0.1, Local IP: 69.178.59.192, Domain: GCI.net. GCI is my isp. What do I do with that?

Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:27:15 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/defaul ... Loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Here is the Silent Runners log:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"AcctMgr" = "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll" [MS]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll" ["Sonic Solutions"]
"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Disc Image Loader\DC_ShellExt.dll" ["Sonic Solutions"]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Pat Noah" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"Kodak software updater" -> shortcut to: "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Pat Noah" -> launches: "C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"RoxioUpdator" -> launches: "C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe /scheduler" ["Sonic Solutions"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll" [MS]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE" ["Symantec Corporation"]
Iomega Active Disk, _IOMEGA_ACTIVE_DISK_SERVICE_, ""C:\Program Files\Iomega\AutoDisk\ADService.exe"" ["Iomega Corporation"]
Iomega App Services, Iomega App Services, ""C:\PROGRA~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"]
ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 197 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 27 seconds.
---------- (total run time: 270 seconds)


Remainder to follow shortly.
Pat
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby hrdcover » August 10th, 2005, 11:48 pm

Here is the Regscan log:

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 8/10/2005 7:46:51 PM
; Search Term(s) Used: "cssfy.exe,dmxsi.exe,HCLEAN32.EXE,ruins,2A061BD4-3854-4A0A-B985-13B7475AADFE"
; 1 matches were found.
; The search took 3 minutes and 2 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby hrdcover » August 10th, 2005, 11:52 pm

Here is the FindT log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

C:\WINDOWS\BALLOON.WAV
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby hrdcover » August 11th, 2005, 12:02 am

Oops! I read this all before I started, but must have glossed over the last sentence. I did this pretty fast and may have allowed AdWatch to block some changes after re-boot. Do I need to start over?
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby Blender » August 11th, 2005, 10:48 am

Hi

Note that on re-boot after running Killbox Norton popped up a message "New Network Detected" and asks me to select a location (home, office, etc.) to join this network. Details were Gateway IP Address: 69.178.0.1, Local IP: 69.178.59.192, Domain: GCI.net. GCI is my isp. What do I do with that?


If that is your ISP then allow it.

Norton thinks it is new cus we removed the bad O17 line in your Hijackthis log. Your ISP dns servers info was replaced by hijacker's.

Current Hijackthis log looks good. I don't think Ad-Watch interfered. We will see with the next reboot. (are you getting any more warnings?)

Silent Runners is ok too.

Couple fixes left to do.

Copy the following text to a new notepad file.
Save as file name remove.reg
As file types All files
Save it to your desktop.

Code: Select all
Windows Registry Editor Version 5.00 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]


Once saved...double click it and allow the merge.

Reboot

Find and delete:

C:\Windows\Balloon.wav

Any more popups saying infected, antivirus is bad, etc, etc...?

another scan I would like to see.

Please run an online scan here:

http://www.pandasoftware.com/activescan ... ncipal.htm

Allow the active x install and allow it thru Ad-Watch.
scan 'whole computer'
When scan is done press "see report" then "save report"
That creates file "activescan.txt"

Once saved; reboot once more and post the Activescan.txt please.
let me know how things are running.

Thanks :)
Blender
Regular Member
 
Posts: 140
Joined: March 3rd, 2005, 4:11 am

Unread postby hrdcover » August 11th, 2005, 1:33 pm

There have been pop-ups, re-directs since I ran MWav and no current perceived problems. Interestingly, when I logged on this morning there was no "New Network" message so nothing for me to authorize.

I could not get the download from Panda to work. Appeared it was downloading necessary files but could not find anything to run and could not launch a scan. When I went back to Panda to try again, the download window flashed open and then closed. Any suggestions?
hrdcover
Regular Member
 
Posts: 27
Joined: June 12th, 2005, 12:53 pm
Location: Anchorage

Unread postby Bertha » August 11th, 2005, 6:32 pm

Hi hrdcover

Blender is away for a while so ill help you till they return,

Lets try another Online Scan

TrendMicro -
http://fr.trendmicro-europe.com/consume ... launch.php

Allow them to remove anything they find and note down anything they find but cannot rmeove and its location and post back here in your reply

Let me know how it goes

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Blender » August 11th, 2005, 6:39 pm

Hi

Hi Bertha :) I'm back :)


hrdcover

Regarding Panda...

Once on Panda's site...

You did click the yellow info bar and tell it to install active x? XP sp2 blocks all active x till you ok it.
You should then get a prompt asking if you want to install it.
Let it install and you should then be presented with the option of what to scan after it installs the needed files.

If you get scan to work, please post its log.

If it won't work please try Bertha's sugestion for Trend Micro scan.
It too requires active x install.

I would like to see a new HJT log as well please. I want to make sure none of this junk returned.

thanks :)
Blender
Regular Member
 
Posts: 140
Joined: March 3rd, 2005, 4:11 am
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 306 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware