Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot delete download.trojan virus[RESOLVED]


  • This topic is locked This topic is locked

#1
SR20fl

SR20fl

    Member

  • Member
  • PipPip
  • 13 posts
Okay so I got a trojan virus on my computer. its called "download.trojan"

Below some info about the virus and how to delete it.

So I followed all the instructions to deleting it, but when I finally located where it was (in the system32 folder) it said that it cannot be deleted because it is "being used by another person or program"

Heres a link with some info on the virus and how to delete it

http://securityrespo...oad.trojan.html

I tried to delete it. I followed all the instructions, but it said

"Error Deleting File or Folder

Cannot delete pmkhh: It is being used by another person or program.
Close any programs that might be using the file and try again."


Can anyone tell me how to delete this virus?

Thank you :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 4:24:34 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
C:\aurora\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\aurora\AiO\Shared\bin\hpOSTS07.exe
C:\aurora\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\pmkhh.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitemia32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by SR20fl, 06 May 2005 - 02:27 PM.

  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Lets see if this will finds any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
when first run the program will auto-update, Run ewido now

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\pmkhh.dll
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitemia32.exe
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll

Click on Fix Checked when finished and exit HijackThis.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\pmkhh.dll
c:\windows\system32\elitemia32.exe

Exit Explorer.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WINDOWS\system32\pmkhh.dll
c:\windows\system32\elitemia32.exe


Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
SR20fl

SR20fl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
thankyou thatman for your help.

I removed all the temporary internet files from my computer and it is going a bit faster now than it was but it is still extremely slow.
There was one thing I did not do. I did not run ewido because I am not sure if it will work right on my compuer since I have Norton Antivirus 2005. I heard doing this will only mess things up.

I had no problem deleting elitemia32.exe from the system 32 folder and from using hijackthis but the other file "pmkhh.dll" still wont delete; Not even using Hijackthis

I downloaded killbox, unzipped it, saved it to my desktop, rebooted in safe mode, and ran killbox from safe mode. I clicked on the "delete file on reboot" option, and pasted C:/WINDOWS/system32/pmkhh.dll onto the full path of file to delete. The only thing I did not completley understand from your directions was this

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.


when I clicked the delete button, it asked me this:

Delete on reboot?
--------------------------
All listed files will be deleted on next reboot

Yes No

From what I read on your directions, I clicked "No" a few times and the "delete file on reboot?" window just kept closing as if there was no significance to clicking "No" so for the first window, I finally decided to click "Yes".

After clicking "Yes", Another window popped up reading:

Delete on next reboot
-------------------------------
Files will be removed on reboot, do you want to reboot now?

Yes No

I tried clicking "No" a few times like I tried on the first one. But again The "delete on next reboot" window just closed everytime I clicked "No" as if there was no significance to clicking "No". So again for the second winwow , I clicked "Yes"

After clicking Yes, a window poped up reading:

PendingFileRenameOperations
-----------------------------------------------
PendingFileRenameOperations registry data has been removed by external process!
OK

Was it supposed to automatically reboot? (it did not automatically reboot after doing so)

The trojan is not gone. My computer is still slow, the file is still there( in the system32 folder) and norton anti-virus is still warning me that I have a Virus
_________________________________________________
[B]EDIT: COMPLETED REPORT!!!! 3:14 PM 5-11-2005


Incident Status Location

Spyware:Spyware/CommonName No disinfected C:\Program Files\Internet Keyword
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network
Adware:Adware/Gator No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Internet Optimizer
Adware:Adware/KeenValue No disinfected C:\Program Files\Common Files\SearchUpgrader
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Comet No disinfected C:\Program Files\Comet Systems
Adware:Adware/TopRebates No disinfected C:\Program Files\Web_Rebates
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/WildTangent No disinfected C:\Program Files\WILDTANGENT
Adware:Adware/WUpd No disinfected C:\Program Files\Winad Client
Adware:Adware/MoeMoney No disinfected C:\Program Files\Ebates?MoeMoneyMaker
Spyware:Spyware/Altnet No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\backups\backup-20050426-173846-134.dll
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\backups\backup-20050426-173846-898.dll
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\Uninstall.exe
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\SearchUpgrader\system.cfg
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\rainbow\classify.dll
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\ts.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsm.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsp.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsuninst.exe
Spyware:Spyware/CommonName No disinfected C:\Program Files\Internet Keyword\inet.exe
Spyware:Spyware/CommonName No disinfected C:\Program Files\Internet Keyword\inetsvc.exe
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
Virus:Trj/Downloader.BGY Disinfected C:\Program Files\PCFlashBang\pc_check.exe
Spyware:Spyware/CommonName No disinfected C:\Program Files\rxtpqt\qutvxu.dll
Spyware:Spyware/CommonName No disinfected C:\Program Files\rxtpqt\qutvxu.exe
Spyware:Spyware/CommonName No disinfected C:\Program Files\rxtpqt\uxvtuq.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1986783815-56917973-550052605-1003\Dc1.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\ctil.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf
Virus:Trj/Downloader.AEE Disinfected C:\WINDOWS\Downloaded Program Files\counter.inf
Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPdpSetup.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme_u.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNrd.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIH6V2J\protector_update[1].exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\protector_update[1].exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitebgc32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitecwk32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitedun32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitehuz32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteibw32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteibz32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteiii32.exe
Virus:Trj/Downloader.CFN Disinfected C:\WINDOWS\system32\elitejjm32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitejtg32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitelsv32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitelvx32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitemal32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitemuf32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitenbz32.exe
Virus:Trj/Downloader.CFN Disinfected C:\WINDOWS\system32\elitenff32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitepov32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitergp32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitesia32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteswb32.exe
Virus:Trj/Downloader.CFN Disinfected C:\WINDOWS\system32\elitewyz32.exe
Virus:Trj/Downloader.CFN Disinfected C:\WINDOWS\system32\elitezez32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\temperror32.dat


-----------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 3:38:11 PM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\aurora\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\aurora\AiO\Shared\bin\hpOSTS07.exe
C:\aurora\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\pmkhh.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Im not sure why the trojan (pmkhh.dll) is not deleting. I could be doing something wrong.

:tazz:

Edited by SR20fl, 11 May 2005 - 01:22 PM.

  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Run Ad-aware se now.

Use windows add remove program files uninstall the following:
C:\Program Files\BullsEye Network\Uninstall.exe

Reboot into Safe Mode: Click here if you don't know how to do this.

Using Windows Explorer delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\Program Files\Internet Keyword<--Delete the whole folder
C:\Program Files\Ebates?MoeMoneyMaker<--Delete the whole folder
C:\WINDOWS\EliteSideBar<--Delete the whole folder
C:\Program Files\Common Files\SearchUpgrader<--Delete the whole folder
C:\Program Files\WILDTANGENT<--Delete the whole folder
C:\Program Files\Winad Client<--Delete the whole folder
C:\Program Files\Comet Systems<--Delete the whole folder
C:\Program Files\Web_Rebates<--Delete the whole folder
C:\Program Files\Internet Optimizer<--Delete the whole folder
C:\Program Files\Common Files\SearchUpgrader<--Delete the whole folder
C:\Program Files\BullsEye Network<--Delete the whole folder
C:\Program Files\MyWay<--Delete the whole folder
C:\Program Files\Common Files\tsa<--Delete the whole folder
C:\WINDOWS\cdmxtras<--Delete the whole folder
C:\WINDOWS\inf\conscorr.inf<--Delete this file
C:\WINDOWS\inf\localNRD.inf<--Delete this file
C:\WINDOWS\satmat.ini<--Delete this file
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\backups\backup-20050426-173846-134.dll<--Delete this file
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\backups\backup-20050426-173846-898.dll<--Delete this file
(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)
Exit explorer.

Run Cleanup

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

Fix part two

Please download Process Explorer by Systernals from HERE
Unzip Process Explorer and double click on procexp.exe

Also download KillBox by Option^Explicit from HERE

Then boot up in SAFE MODE

the rest of this fix must be done in safe mode.

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of pmkhh.dll once and then click the kill button.

After you have killed all of the pmkhh.dll's under winlogon click OK.

Next double click on explorer.exe and again click once on each instance of pmkhh.dll then click the kill button.

Click on the Threads tab at the top.

Once you have done that click OK again.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\pmkhh.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll

Click on Fix Checked when finished and exit HijackThis.

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\system32\pmkhh.dll

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#6
SR20fl

SR20fl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
thatman(Kc), THANK YOU FOR YOUR PROFESSIONAL HELP!! ;)

pmkhh.dll is gone! my computer is back to normal (a little faster than before I had the virus) I checked in the system32 folder and it is not there anymore.

.................................. :tazz: After removing the virus, There is something strange. (its not any type of malware) In the "other pics, cars(random info)" folder, there is a database file named "thumbs" that keeps re-pasting itself in the "other pics,cars(random info)" folder everytime I move it away from the foler.

The file is where I installed all my downloads that you told me to download on your previous posts. It was created today; the same day that the virus was removed. Im guessing its from one of the programs I downloaded ;)


Norton anti-virus has detected theses viruses(?) and automatically deleted them a few minutes after It rebooted in normal mode

.../backup-20050512-182028-164.dll

C:\!submit\pmkhh.dll



----------------------------------------------------------------------------
Panda Active Scan log

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\Program Files\PerfectNav
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Adware:Adware/TopRebates No disinfected C:\WINDOWS\Downloaded Program Files\winadx.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/WildTangent No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\Windows SyncroAd
Spyware:Spyware/Altnet No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar
Adware:Adware/P2PNetworking No disinfected Windows Registry
Spyware:Spyware/CommonName No disinfected C:\Program Files\rxtpqt\qutvxu.dll
Spyware:Spyware/CommonName No disinfected C:\Program Files\rxtpqt\qutvxu.exe
Spyware:Spyware/CommonName No disinfected C:\Program Files\rxtpqt\uxvtuq.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\ctil.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf
Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPdpSetup.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme_u.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNrd.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIH6V2J\protector_update[1].exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\protector_update[1].exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitebgc32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitecwk32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitedun32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitehuz32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteibw32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteibz32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteiii32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitejtg32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitelsv32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitelvx32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitemal32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitemuf32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitenbz32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitepov32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitergp32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitesia32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteswb32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\temperror32.dat





----------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:58:12 PM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\aurora\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\aurora\AiO\Shared\bin\hpOSTS07.exe
C:\aurora\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


-------------------------------------------------------------------------------------------
PS: is Norton Systemworks 2005 (a combination of Norton antivirus, live update, cleanup, etc) a good program to prevent this from happening again or do you reccomend something else?


:)

Edited by SR20fl, 12 May 2005 - 06:17 PM.

  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

Please read through the instructions before you start (you may want to print this out).

Have a look in the Malware Removal - HiJackThis Logs Go Here and see how virus programs fair against malware then ask me again.

Download Pocket Killbox and unzip it; save it to your Desktop.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\Downloaded Program Files\dm.inf
C:\WINDOWS\Downloaded Program Files\winadx.inf
C:\WINDOWS\inf\localNRD.inf
C:\WINDOWS\satmat.ini
C:\Program Files\rxtpqt\qutvxu.dll
C:\Program Files\rxtpqt\qutvxu.exe
C:\Program Files\rxtpqt\uxvtuq.exe
C:\WINDOWS\browserxtras\pn\remove.exe
C:\WINDOWS\ctil.exe
C:\WINDOWS\Downloaded Program Files\ActiveX.inf
C:\WINDOWS\Downloaded Program Files\dm.inf
C:\WINDOWS\Downloaded Program Files\WinadX.inf
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
C:\WINDOWS\GatorPatch.log
C:\WINDOWS\GatorPdpSetup.log
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\GatorUninstaller_cme_u.log
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\inf\localNrd.inf
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\satmat.ini
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIH6V2J\protector_update[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\protector_update[1].exe
C:\WINDOWS\system32\elitebgc32.exe
C:\WINDOWS\system32\elitecwk32.exe
C:\WINDOWS\system32\elitedun32.exe
C:\WINDOWS\system32\elitehuz32.exe
C:\WINDOWS\system32\eliteibw32.exe
C:\WINDOWS\system32\eliteibz32.exe
C:\WINDOWS\system32\eliteiii32.exe
C:\WINDOWS\system32\elitejtg32.exe
C:\WINDOWS\system32\elitelsv32.exe
C:\WINDOWS\system32\elitelvx32.exe
C:\WINDOWS\system32\elitemal32.exe
C:\WINDOWS\system32\elitemuf32.exe
C:\WINDOWS\system32\elitenbz32.exe
C:\WINDOWS\system32\elitepov32.exe
C:\WINDOWS\system32\elitergp32.exe
C:\WINDOWS\system32\elitesia32.exe
C:\WINDOWS\system32\eliteswb32.exe
C:\WINDOWS\system32\temperror32.dat

Reboot as normal

Using Windows Explorer delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\Program Files\PerfectNav<--Delete the whole folder
C:\Program Files\Windows SyncroAd<--Delete the whole folder
C:\WINDOWS\EliteSideBar<--Delete the whole folder
C:\Program Files\rxtpqt<--Delete the whole folder
C:\WINDOWS\EliteSideBar
(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

This is a folder created by killbox, this is used to send new malware and virus file's for testing. When we have cleaned your system we will delete the folder
This is safe.


After removing the virus, There is something strange. (its not any type of malware) In the "other pics, cars(random info)" folder, there is a database file named "thumbs" that keeps re-pasting itself in the "other pics,cars(random info)" folder everytime I move it away from the folder.

The full name is Thumbnails and is put into all pic, folders this is done by windows and is safe.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[color=red][b]Please post the logs From Panda virus scan and HJT.log
we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#8
SR20fl

SR20fl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Panda scan log

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar
Adware:Adware/P2PNetworking No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\!Submit\conscorr.inf


-----------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 6:52:44 PM, on 5/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\LIMEWIRE\LimeWire.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\aurora\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\aurora\AiO\Shared\bin\hpOSTS07.exe
C:\aurora\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\Clean Up,monitor,and delete Programs\ProcessExplorer\procexpnt(ProcessExplorer)\procexp.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\OTHER pics,CARS (random Info)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\aurora\AiO\hp officejet v series\FRU\Remind32.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\aurora\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BTW: I heard that Firefox internet browser is less vulnerable to spyware and adware than IE so I just now downloaded Firefox. I personally think its 10X better than IE in ease of use :tazz:

Edited by SR20fl, 13 May 2005 - 05:05 PM.

  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

C:\WINDOWS\EliteToolBar<--Delete this folder
C:\!Submit\conscorr.inf<--Delete this file

The following two files are dead regkeys and can now longer do any harm.
Adware:Adware/P2PNetworking No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected Windows Registry

How is your system running now

kc :tazz:
  • 0

#10
SR20fl

SR20fl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Hi SR20fl
How is your system running now

kc  :tazz:

View Post

Both of the last have been deleted!

Its running like new!! ;) Its running at lightning speed! Even before I had the virus its running way faster! It never ran this fast! I probley got that virus because I havent ran live update on norton in about 3 months. I also have never cleaned out the temp internet files folder until now.

Now I run live update everytime Im on my computer. I aslo clean out the TIF folder about once a week. I had about 800mb of crap in the TIF folder!! Firefox I heard is more safe from adware and spyware than internet explorer so I also downloaded Firefox and I regret waiting so long to do so.

I think I need to change some of my firefox settings because My AIM is telling me that I cannot connect with my buddy because of (possibly) firewall settings.
But ill post it in another section.

I read about donation links and I would help you out but I dont see a donation link for you anywhere.

Kc your help was awsome! ;) :)

Edited by SR20fl, 14 May 2005 - 12:23 PM.

  • 0

#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

I started fighting malware knowing it was free help and don't see any reason to change it my help is free no charge Go out have a drink just raise you glass and say thanks Kc

Will post some more information later.

Kc :tazz:
  • 0

#12
SR20fl

SR20fl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Well Ill raise my shot of 151 and say thanks Kc!

I learned alot in the process of doing so. Ill be looking forward to the info :tazz:

Edited by SR20fl, 14 May 2005 - 01:17 PM.

  • 0

#13
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SR20fl

Download and install EasyCleaner:
http://personal.inet...rts/ecleane.htm

After installing it check under Settings > Registry tab if the backup
option is checked and if the directory it points to exists.
This should be true by default, but check anyway.

Then click OK and click Registry
Then click Search. When it is done select all the items per color,
(most, if not all should be green) and click Remove.

Reboot when you are done and let us know how it goes.

Kc :tazz:
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP