Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC infected with DeskTopHijack


  • This topic is locked This topic is locked

#1
Bungy

Bungy

    New Member

  • Member
  • Pip
  • 6 posts
:tazz: G'Day,

Our PC is infected with DeskTopHijack.

I have tried to follow some of the directions given in previous posts but have ended up in trouble.

My attempt to remove it using PC-cillin and AdAware was a failure as well. I would really appreciate some help getting rid of this bloody annoying thing.

Here is the HJT information

Logfile of HijackThis v1.99.1
Scan saved at 1:31:42 PM, on 5/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Telstra\Signup\tbpt.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AAHJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista...owpages.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0456/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\Program Files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMENU.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.cua.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FCB462D-9788-49A1-8024-237BC262D14B}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACD8C0A2-5EAB-4EB0-87DF-30CACE7839FD}: NameServer = 69.50.176.198,195.225.176.153
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Bungy to Geeks to Go!

I need you to download MWav

This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav, put a check next to below items before scanning:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click "browse" to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure ALL of these are checked, then press the scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log will be extremely BIG so there is no way to copy the whole thing. I just need the infected items list..

***

Please download the Killbox.
Unzip it to the desktop

Please double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:

Past the full path to the fill found bij eScan. I expect it to be:
C:\WINDOWS\System32\systr.dll. Be sure to paste the one it finds.


Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Open HijackThis.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0456/

O17 - HKLM\System\CCS\Services\Tcpip\..\{5FCB462D-9788-49A1-8024-237BC262D14B}: NameServer = 69.50.176.198,195.225.176.153

O17 - HKLM\System\CCS\Services\Tcpip\..\{ACD8C0A2-5EAB-4EB0-87DF-30CACE7839FD}: NameServer = 69.50.176.198,195.225.176.153

Click on Fix Checked when finished and exit HijackThis.
Press 'allow' if Spybot prompts you on a change.

***

Reboot again. Post back here with a fresh log using HijackThis.
  • 0

#3
Bungy

Bungy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi g2i2r4

Since my original post I have been under extreme pressure to "fix it" from the other users here ie. uni and school exam periods etc.

I had another go at "fixing it" by telling my router to ignore the web site that it kept trying to access every 2 minutes and using the instructions that I found in another post I did manage to stop the desktop from being HiJacked. But I'm not sure if I managed to remove everything.

The files I removed were all found in the C:\windows\system32\ directory ie. gunist.exe….popup.dll….param32.dll….and 2 strings of numbers that AdAware found that appeared in “Killbox”

I have run MWav and hope this what you mean. It's copied from the virus log information and I have ignored the invalid objects etc.

I will carry out the rest of your instructions (ie the two O17 lines) and post the HJT log file

File C:\WINDOWS\sigldr.exe infected by "Trojan-Downloader.Win32.Small.awa" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\dumpsprep.exe infected by "Trojan-Dropper.Win32.Agent.lx" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipdnssec6.exe infected by "Trojan.Win32.DNSChanger.p" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\itDDD.exe infected by "Trojan-Downloader.Win32.Small.awa" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\qwinnta.exe infected by "Trojan-Clicker.Win32.Agent.db" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\sesmgr.exe infected by "Trojan-Clicker.Win32.Small.gc" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Dad\LOCALS~1\TEMPOR~1\Content.IE5\3WDPZO8O\dropper[1].chm infected by "Trojan-Downloader.Win32.WarSpy.d" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Dad\LOCALS~1\TEMPOR~1\Content.IE5\X8J2FZD7\wow[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Dad\LOCALS~1\TEMPOR~1\Content.IE5\YINZIH8B\dropper[1].exe infected by "Trojan-Downloader.Win32.WarSpy.d" Virus! Action Taken: No Action Taken.
File C:\CD Data\DVD Files\dvdinfo2.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\3WDPZO8O\dropper[1].chm infected by "Trojan-Downloader.Win32.WarSpy.d" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\X8J2FZD7\wow[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\YINZIH8B\dropper[1].exe infected by "Trojan-Downloader.Win32.WarSpy.d" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\2XGJC9UD\EGAUTH_1041_EN_XP[1].cab infected by "Trojan.Win32.P2E.bt" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\K3MJMRCB\cnt[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Robert\My Documents\School work\Music\NP2k5aSETUP.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Robert\My Documents\School work\Music\WinNotePad2003.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Programs\DivX502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\10.tmp infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\11.tmp infected by "Trojan.Java.ClassLoader.Dummy.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\12.tmp infected by "Trojan-Downloader.Java.OpenConnection.v" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\17.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\18.tmp infected by "Trojan-Downloader.Win32.Agent.hz" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\19.tmp infected by "Backdoor.Win32.Agobot.ace" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp tagged as "not-a-virus:AdWare.Msnagent.a". Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1B.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1C.tmp infected by "Trojan-Dropper.Win32.Agent.jd" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\21.tmp infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\22.tmp tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\4.tmp infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\7.tmp infected by "Backdoor.Win32.Agobot.ace" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\8.tmp infected by "Trojan-Downloader.BAT.Ftp.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\9.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\A.tmp infected by "Backdoor.Win32.Agobot.ace" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\B.tmp infected by "Worm.Win32.Lovesan.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\C.tmp infected by "Trojan-Downloader.Win32.Small.aua" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\D.tmp tagged as "not-a-virus:AdWare.Serch.a". Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\E.tmp infected by "Trojan-Downloader.Win32.Small.aua" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\F.tmp infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sigldr.exe infected by "Trojan-Downloader.Win32.Small.awa" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\dumpsprep.exe infected by "Trojan-Dropper.Win32.Agent.lx" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipdnssec6.exe infected by "Trojan.Win32.DNSChanger.p" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\itDDD.exe infected by "Trojan-Downloader.Win32.Small.awa" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\qwinnta.exe infected by "Trojan-Clicker.Win32.Agent.db" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sesmgr.exe infected by "Trojan-Clicker.Win32.Small.gc" Virus! Action Taken: No Action Taken.
File C:\CD Data\DVD Files\dvdinfo2.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\3WDPZO8O\dropper[1].chm infected by "Trojan-Downloader.Win32.WarSpy.d" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\X8J2FZD7\wow[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\YINZIH8B\dropper[1].exe infected by "Trojan-Downloader.Win32.WarSpy.d" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\2XGJC9UD\EGAUTH_1041_EN_XP[1].cab infected by "Trojan.Win32.P2E.bt" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\K3MJMRCB\cnt[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Robert\My Documents\School work\Music\NP2k5aSETUP.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Robert\My Documents\School work\Music\WinNotePad2003.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Programs\DivX502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\10.tmp infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\11.tmp infected by "Trojan.Java.ClassLoader.Dummy.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\12.tmp infected by "Trojan-Downloader.Java.OpenConnection.v" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\17.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\18.tmp infected by "Trojan-Downloader.Win32.Agent.hz" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\19.tmp infected by "Backdoor.Win32.Agobot.ace" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp tagged as "not-a-virus:AdWare.Msnagent.a". Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1B.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1C.tmp infected by "Trojan-Dropper.Win32.Agent.jd" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\21.tmp infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\22.tmp tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\4.tmp infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\7.tmp infected by "Backdoor.Win32.Agobot.ace" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\8.tmp infected by "Trojan-Downloader.BAT.Ftp.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\9.tmp infected by "Trojan-IM.Win32.VB.z" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\A.tmp infected by "Backdoor.Win32.Agobot.ace" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\B.tmp infected by "Worm.Win32.Lovesan.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\C.tmp infected by "Trojan-Downloader.Win32.Small.aua" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\D.tmp tagged as "not-a-virus:AdWare.Serch.a". Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\E.tmp infected by "Trojan-Downloader.Win32.Small.aua" Virus! Action Taken: No Action Taken.
File C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\F.tmp infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sigldr.exe infected by "Trojan-Downloader.Win32.Small.awa" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\dumpsprep.exe infected by "Trojan-Dropper.Win32.Agent.lx" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipdnssec6.exe infected by "Trojan.Win32.DNSChanger.p" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\itDDD.exe infected by "Trojan-Downloader.Win32.Small.awa" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\qwinnta.exe infected by "Trojan-Clicker.Win32.Agent.db" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sesmgr.exe infected by "Trojan-Clicker.Win32.Small.gc" Virus! Action Taken: No Action Taken.
  • 0

#4
Bungy

Bungy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
HJT logfile as requested.

Logfile of HijackThis v1.99.1
Scan saved at 1:02:24 PM, on 11/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Telstra\Signup\tbpt.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\AAHJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\Program Files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMENU.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.cua.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
The scanresult looks worse than it actually is. This is what's left to do.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Download CleanUp!.
If that doesn’t work, use this link.
Double click the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close.

Let the system reboot. Make sure the system reboots to safe mode.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Double-click Killbox.exe to run it.

Select "Delete on Reboot".

Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINDOWS\sigldr.exe
C:\WINDOWS\System32\dumpsprep
C:\WINDOWS\System32\ipdnssec6.exe
C:\WINDOWS\System32\itDDD.exe
C:\WINDOWS\System32\qwinnta.exe
C:\WINDOWS\System32\sesmgr.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
If the computer does not reboot by itself, do it manually.

***

Open Trend Micro's Internet Security and clear the Quarantine.

***

Open Windows Explorer:
Move to this folder:
C:\Windows\System32
Delete icons you find in there. For example:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico

***

I see both Trend Micro and AVG for Antivirus. That is not a good idea. Instead of working together to protect you, they are now fighting eachother, leaving you on your own.
Remove one, update the other.

Let me know how things are now.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 26 June 2005 - 04:11 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP