Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pwsteal.trojan

Started by undun40cal , May 28 2005 10:51 AM

  • Please log in to reply

#1
undun40cal
Posted 28 May 2005 - 10:51 AM

undun40cal

    Member

  • Member
  • PipPip
  • 80 posts
Hi. I posted my problem in another thread and was sent here. here is a copy of my post:


I'm having a serious problem with trying to remove this virus, PWsteal.trojan.
So far i have done everything that symantec told me to do to get rid of it, but whenever i think i removed it, the same file thats infected comes back. So far i have deleted this file, "cssrs.exe" from my windows/system32 folder about 8 times but to no avail. Since it s in exe. format, i figured if i change the extension name to something non realistic it will disable the file from being used, but that did nothing also. It denies me access to delete the file unless i F8 and start in another mode. Well i guess the main reason i'm here is to find out if there is another file that is releasing this virus everytime i delete and restart my pc and what i should do to get rid of it. i dont know what to do anymore. Norton isnt working for me the way it says it is made to. any alternative help is needed. plzzz help me before i throw this thing out the window....


i just downloaded Hijackthis and here is the log file:


Logfile of HijackThis v1.99.1
Scan saved at 11:34:57 AM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SVCHOST.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\win32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Software Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SECURITY.EXE
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112326022187
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.28/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: System - {A3A83AFC-9652-4CD9-8CF7-0B3974289EF7} - vr_sys.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Service\Software Jukebox v2.0 File.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe





Theres something i would like to add. I dont really understand what hijackthis does but here is what i take of it. So far i noticed that it lists the running processes/programs and thats it (pertaining to this subject). Now the thing is, the maliware program shows up in the service section of ctrl+alt+del, but not in the hijackthis log. The virus also has a few enties in the registry. I'm not very pc orientated so i'm using the info from symantec to explain this better.

What this virus is doing:

trying to send spam through my email address (aol account).


makes almost all the words in forum posts,websites and basically any word, links
to a search engine.

causes a pop up to appear in IE saying i have a virus and to download a specific software to remove it.

reappears after it has been deleted and all the reg entries have been deleted.

denies access to the file until turned off in Ctrl+Alt+Del.

:tazz:

Edited by undun40cal, 28 May 2005 - 12:01 PM.

  • 0

Advertisements

#2
Wizard
Posted 29 May 2005 - 10:55 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi undun40cal and Welcome to the Geeks to Go Forums!

Please Copy&Paste these Instructions to Notepad and Save them to your Desktop!

Please go to Add\Remove Programs and Remove

WildTangent

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

Download "The Hoster" from here
http://www.funkytoad...load/hoster.zip

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Scan the PC with Ewido Security Suite and Save the log it produces!

Open Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

Highlight>>Right Click and Copy the list below

C:\WINDOWS\system32\cssrs.exe
C:\WINDOWS\system32\abc.exe
C:\WINDOWS\vr_sys.dll
C:\WINDOWS\system32\win32.exe
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}
C:\Program Files\WildTangent

Open Pocket KillBox and Click File>>Paste from Clipboard!

You should now see the first file from the list in the Box labeled "Full Path of File to Delete"

If you Click the Down Arrow you should see the rest of the list!

If you dont see the files there,enter them into Killbox one at a time and use the instructions below!

Now,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Once those are ticked,Click the Red Circle with the White X in the Middle to Delete!!

IMPORTANT: Please keep track of any files or folders Killbox says it cant delete,we will need that list in a minute!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SVCHOST.EXE

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SECURITY.EXE

O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.28/ttinst.cab

O21 - SSODL: System - {A3A83AFC-9652-4CD9-8CF7-0B3974289EF7} - vr_sys.dll (file missing)


Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

If there is a list of files or folders that wouldnt delete>>Paste them into KillBox and Select

"Delete on Reboot"
Tick any of the Selections I indicated Earlier and Delete!

When Prompted>>Click "Yes" to Confirm and "No" to restart>>When you get to the last entry>>Click "Yes" to Confirm and "Yes" to restart!!

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with the Reports from Ewido>>Panda and a fresh HijackThis log!
  • 0

#3
undun40cal
Posted 29 May 2005 - 09:09 PM

undun40cal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Okay heres the logs from each scan. it seems the virus (cssrs.exe.tcf) is still here but the extension name has been changed. at least it's not trying to access my email anymore.
--------------------------------------------
KILLBOX SCAN
--------------------------------------------
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}
C:\WINDOWS\system32\cssrs.exe
This file does not seem to exist
C:\WINDOWS\system32\abc.exe
This file does not seem to exist
C:\WINDOWS\vr_sys.dll
This file does not seem to exist
C:\WINDOWS\system32\win32.exe
This file does not seem to exist
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}
File Was Deleted
C:\Program Files\WildTangent
This file does not seem to exist




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:03:02 PM, 5/29/2005
+ Report-Checksum: 6A8C4AB2

+ Date of database: 5/29/2005
+ Version of scan engine: v3.0

+ Duration: 89 min
+ Scanned Files: 450192
+ Speed: 83.59 Files/Second
+ Infected files: 77
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@90594700[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@bfast[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@gamasutraexchange[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@hitbox[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@S111319[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GLSDYVKT\latest[1].exe -> TrojanProxy.Lager.j -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175281.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175312.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175484.asw -> Spyware.Claria -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175625.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175703.asw -> Spyware.Gator.6041 -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175750.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175875.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175937.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30176046.asw -> Spyware.Claria -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179687.asw -> Spyware.Claria -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179765.asw -> Spyware.Gator.6051 -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179796.asw -> Spyware.Gator.6051 -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179906.asw -> Spyware.Claria -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179968.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180000.asw -> Spyware.Gator.6051 -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180046.asw -> Spyware.Gator.6051 -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180093.asw -> Spyware.Claria -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180203.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180250.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180296.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180359.asw -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216484.asw -> Spyware.Altnet.b -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216984.asw -> Spyware.P2PNetworking -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30217062.asw -> Spyware.P2PNetworking -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30217609.asw -> TrojanDownloader.WebP2PInstaller -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218125.asw -> Spyware.AltnetBDE -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218531.asw -> Spyware.Altnet.b -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218562.asw -> Spyware.AltnetBDE -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218625.asw -> Spyware.AltnetBDE -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218718.asw -> Spyware.AltnetBDE -> Ignored
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30219218.asw -> Spyware.P2PNetworking -> Ignored
C:\Program Files\Common Files\uctaoabu\saqeplns\lubfdltl.exe.tcf -> Spyware.Gator -> Ignored
C:\Program Files\Common Files\uctaoabu\ubcetrfoob\robddmlcc.exe.tcf -> Spyware.Gator -> Ignored
C:\Program Files\DAP\DAP.exe -> Spyware.Dap.b -> Ignored
C:\WINDOWS\system32\cssrs.exe.tcf -> TrojanSpy.PdPinch -> Ignored
C:\WINDOWS\system32\cssrs.exe9346.tcf -> TrojanSpy.PdPinch -> Ignored
C:\WINDOWS\system32\cssrs.exe9477.tcf -> TrojanSpy.PdPinch -> Ignored
C:\WINDOWS\system32\H@tKeysH@@k.DLL.tcf -> Not-A-Virus.Tool.Game.HotHook -> Ignored
C:\WINDOWS\system32\latest.exe -> TrojanProxy.Lager.j -> Ignored
C:\WINDOWS\system32\Services\{4F9612F6-7490-4D46-B20B-E51FF90536DC}\SVCHOST.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{4F9612F6-7490-4D46-B20B-E51FF90536DC}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SECURITY.DLL.tcf -> Trojan.WebSearch.i -> Ignored
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SECURITY.EXE.tcf -> Trojan.WebSearch.i -> Ignored
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SVCHOST.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SVCHOST.EXE -> Trojan.WebSearch.i -> Ignored
C:\WINDOWS\system32\Services\{7275B550-6741-4B7B-B7D6-67B9389FFBC2}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{9E266852-FC83-47CE-A8D8-AB57A1CA0AA7}\SVCHOST.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{9E266852-FC83-47CE-A8D8-AB57A1CA0AA7}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{CBF8D77F-1CD9-4002-8570-DCC75F1460E8}\SVCHOST.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{CBF8D77F-1CD9-4002-8570-DCC75F1460E8}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{E28A1EE1-3E3B-45E3-A7A0-94CB3CC429A5}\SVCHOST.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{E28A1EE1-3E3B-45E3-A7A0-94CB3CC429A5}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{EC936B9F-2D9B-4780-BE2C-3F9943B32218}\SVCHOST.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\Services\{EC936B9F-2D9B-4780-BE2C-3F9943B32218}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Ignored
C:\WINDOWS\system32\win32.exe -> TrojanProxy.Lager.j -> Ignored
C:\WINDOWS\system32\~update.exe -> TrojanProxy.Lager.j -> Ignored
C:\WINDOWS\vr_sys.dll -> TrojanSpy.PdPinch -> Ignored


::Report End


--------------------------------------------------
ACTIVESCAN LOG
--------------------------------------------------

Incident Status Location

Adware:Adware/CWS.Yexe No disinfected C:\!Submit\SECURITY.DLL.tcf
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UQQXXTSA\d[1].htm
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175281.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175312.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175359.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175484.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175625.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175703.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175750.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175875.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30175937.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30176046.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179687.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179765.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179796.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179906.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30179968.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180000.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180046.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180093.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180203.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180250.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180296.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30180359.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216484.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216546.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216546.asw[sysdetect.dll]
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216593.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216593.asw[Points Manager.exe]
Adware:Adware/MyWay No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216640.asw
Adware:Adware/MyWay No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216640.asw[mySetp.exe]
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216718.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216718.asw[AltnetUninstall.exe]
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216718.asw[asmend.exe]
Adware:Adware/P2PNetworking No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30216984.asw
Adware:Adware/P2PNetworking No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30217062.asw
Adware:Adware/P2PNetworking No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30217609.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218125.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218531.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218562.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218625.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30218718.asw
Adware:Adware/P2PNetworking No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\30219218.asw
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\uctaoabu\saqeplns\lubfdltl.exe.tcf
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\uctaoabu\ubcetrfoob\robddmlcc.exe.tcf
Possible Virus. No disinfected C:\Program Files\GameSpy Arcade\fpupdate.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Virus:Trj/Pdpinch.Q No disinfected C:\WINDOWS\system32\cssrs.exe.tcf
Virus:Trj/Pdpinch.Q No disinfected C:\WINDOWS\system32\cssrs.exe9346.tcf
Virus:Trj/Pdpinch.Q No disinfected C:\WINDOWS\system32\cssrs.exe9477.tcf
Here they are. Will deleting any of the files that is mentioned in the scans, harm my O/S or computer at all, besides the trojan? I totally appreciate the help i have been getting through out this whole ordeal. I recommend this Forum to anyone who wants advice and/or help. :tazz:
  • 0

#4
Wizard
Posted 30 May 2005 - 12:11 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK...Lets give this another go....I have never seen Ewido ignore anything!

Had you used this program previously?

Did you select to Ignore the files to be deleted?

If you choose to ignore,please run it again in Safe Mode along with the other Instructions I have listed!

Download CCleaner
http://www.filehippo...d_ccleaner.html

CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Restart in Safe Mode!

One at a time,enter each file into Killbox and put a tick by any of these available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

C:\WINDOWS\smdat32a.sys
C:\WINDOWS\vr_sys.dll
C:\WINDOWS\system32\cssrs.exe.tcf
C:\WINDOWS\system32\cssrs.exe9346.tcf
C:\WINDOWS\system32\cssrs.exe9477.tcf
C:\WINDOWS\system32\latest.exe
C:\WINDOWS\system32\win32.exe
C:\WINDOWS\system32\Services
C:\Program Files\DAP
C:\Program Files\Common Files\uctaoabu
C:\Program Files\GameSpy Arcade

Keep track of what happens as each file is deleted,if any return not found or undeletable,writ the full name and path down!

Run CCleaner>>Click Run Cleaner and let it do its thing!

Run CleanUp!>>Click the Cleanup button and when prompted to log off>>Click No!

If there is a list of files or folders that wouldnt deleteor couldnt be found>>Paste them into KillBox and Select "Delete on Reboot"

Tick any of the Selections I indicated Earlier and Delete!

When Prompted>>Click "Yes" to Confirm and "No" to restart>>When you get to the last entry>>Click "Yes" to Confirm and "Yes" to restart!!

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Restart Normal and have the PC Scanned here
http://support.f-sec.../home/ols.shtml

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post the Results along with a fresh HijackThis log!
  • 0

#5
undun40cal
Posted 30 May 2005 - 12:30 PM

undun40cal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Problem resolved! Thank you so much for the help. You have saved my pc. Its a shame that depending on what virus you get, certain programs/software dont know how to get rid of it or dont even know it's there on your pc. I'm disappointed in nortons, having faith that the software would do as it is supposed to and then it does'nt. Thank the lord for geekstogo! :tazz:
  • 0

#6
Wizard
Posted 30 May 2005 - 12:40 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please do the Scan at F-Secure to be sure all bugs are cleared!

Go ahead and Disable System Restore

Click Start>>Right Click My Computer>>Select Properties>>Select System Restore>>Put a check by Turn Off System Restore>>Move the Slider below that to the Minimum Position!

Install Spyware Blaster and IE Spyad just for Internet Explorer!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Post back with F-Secure Results as soon as completed and a fresh HijackThis Log!
  • 0

#7
undun40cal
Posted 01 June 2005 - 06:01 PM

undun40cal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Okay, F-Secure says that there are no threats. If there was supposed to be a log, it didnt show one or there was no link to one. So far everything is in order and my pc is running like new again.. Here is a fresh HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 6:54:21 PM, on 6/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Desktop\Software Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112326022187
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF8FDE7-40CD-4F88-B44E-53A81DA3FF7F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Service\Software Jukebox v2.0 File.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#8
Wizard
Posted 02 June 2005 - 02:17 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks Nice,Glad to hear that its running better!

Go ahead and Renable System Restore and Create a new Restore point by restart after you have enabled it!

The 3 links in my signature may make for some interesting reading as to how to avoid this in the future!

Any thing else? :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP