Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please Help - Many Popups [RESOLVED]

Started by Flagler23 , Jun 20 2005 04:36 PM

This topic is locked

#76
Flagler23

Posted 14 July 2005 - 02:32 PM

Member

Topic Starter
Member
77 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\JP Clark\Desktop\Clean Up

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 1015-5A79

Directory of C:\WINDOWS\System32

07/10/2005 11:25 PM <DIR> dllcache
04/26/2005 01:12 AM 56 18E3C9DF74.sys
08/12/2003 01:43 PM <DIR> Microsoft
1 File(s) 56 bytes
2 Dir(s) 44,428,488,704 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 1015-5A79

Directory of C:\WINDOWS\System32

07/10/2005 11:25 PM <DIR> dllcache
04/26/2005 01:12 AM 56 18E3C9DF74.sys
08/12/2003 01:34 PM 488 logonui.exe.manifest
08/12/2003 01:34 PM 488 WindowsLogon.manifest
08/12/2003 01:34 PM 749 nwc.cpl.manifest
08/12/2003 01:34 PM 749 sapi.cpl.manifest
08/12/2003 01:34 PM 749 ncpa.cpl.manifest
08/12/2003 01:34 PM 749 cdplayer.exe.manifest
08/12/2003 01:34 PM 749 wuaucpl.cpl.manifest
8 File(s) 4,777 bytes
1 Dir(s) 44,428,484,608 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 1015-5A79

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 1015-5A79

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
18e3c9~1.sys Tue Apr 26 2005 1:12:14a ..SHR 56 0.05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0.05 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\pav.sig: AsPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"PmProxy"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"TFNF5"="TFNF5.exe"
"TFncKy"="TFncKy.exe /Type 28"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"Tpwrtray"="TPWRTRAY.EXE"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

#77
Michelle

Posted 14 July 2005 - 04:01 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Set your system to SHOW HIDDEN FILES

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\System32\18E3C9DF74.sys

Click "Open", then click the "Submit" button. Copy the results and paste them here.

#78
Flagler23

Posted 14 July 2005 - 04:22 PM

Member

Topic Starter
Member
77 posts

ok cool got that. thanks alot.

Service load: 0% 100%

File: 18E3C9DF74.sys
Status: OK
MD5 f55a6d682eb28910192342a757ad7861
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, I am aware of the implications of a setup like this. I am sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). I am aware, in spite of efforts to proactively counter these, false positives might occur, for example. I do not consider this a very big issue, so please do not e-mail me about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: probably unknown WIN32 in wininet.dll, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.DownLoader.2636
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Virus.Win32.Nsag.a
NOD32 probably unknown WIN32
Norman Virus Control X
UNA X
VBA32 X

You're free to (mis)interpret these automated, flawed statistics at your own discretion.

9358 files (7138 of those unique) have been uploaded & scanned since 11/Jul/2005, the day of the last database purge.
1830 of those 7138 files contained a virus or any other form of malware.
This page has been visited 15515 times in this time period.

If you have suggestions and/or comments, please send me them!

#79
Michelle

Posted 14 July 2005 - 06:15 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Go ahead and open Ewido. Update it, then run a full system scan just as you did before. Save the log and post it.

#80
Flagler23

Posted 14 July 2005 - 09:06 PM

Member

Topic Starter
Member
77 posts

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:04:34 PM, 7/14/2005
+ Report-Checksum: 922842D8

+ Scan result:

C:\bjivxikm.exe -> Backdoor.Agobot : Cleaned with backup
C:\bomvmyyn.exe -> Backdoor.Agobot : Cleaned with backup
C:\brrfuxqn.exe -> Backdoor.Agobot : Cleaned with backup
C:\bxpdpzlu.exe -> Backdoor.Agobot : Cleaned with backup
C:\cozxdnst.exe -> Backdoor.Agobot : Cleaned with backup
C:\cqqcaijd.exe -> Backdoor.Agobot : Cleaned with backup
C:\crfdvzhd.exe -> Backdoor.Agobot : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp clark@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\JP Clark\Cookies\jp [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\drtuxpsh.exe -> Backdoor.Agobot : Cleaned with backup
C:\ekfhdosc.exe -> Backdoor.Agobot : Cleaned with backup
C:\exmahjif.exe -> Backdoor.Agobot : Cleaned with backup
C:\fiyxmaww.exe -> Backdoor.Agobot : Cleaned with backup
C:\glntqnqz.exe -> Backdoor.Agobot : Cleaned with backup
C:\gpzccyqm.exe -> Backdoor.Agobot : Cleaned with backup
C:\gtfguaer.exe -> Backdoor.Agobot : Cleaned with backup
C:\gyenuxaa.exe -> Backdoor.Agobot : Cleaned with backup
C:\hprqkytp.exe -> Backdoor.Agobot : Cleaned with backup
C:\hqadpdxy.exe -> Backdoor.Agobot : Cleaned with backup
C:\hqirgtkm.exe -> Backdoor.Agobot : Cleaned with backup
C:\hspzckde.exe -> Backdoor.Agobot : Cleaned with backup
C:\itfkaghf.exe -> Backdoor.Agobot : Cleaned with backup
C:\ivtsvzpo.exe -> Backdoor.Agobot : Cleaned with backup
C:\joebctsi.exe -> Backdoor.Agobot : Cleaned with backup
C:\kmvdvaoa.exe -> Backdoor.Agobot : Cleaned with backup
C:\litchboe.exe -> Backdoor.Agobot : Cleaned with backup
C:\mamcmofc.exe -> Backdoor.Agobot : Cleaned with backup
C:\mrfzvadi.exe -> Backdoor.Agobot : Cleaned with backup
C:\mxlyshpv.exe -> Backdoor.Agobot : Cleaned with backup
C:\njwymgwl.exe -> Backdoor.Agobot : Cleaned with backup
C:\nkrnaxzh.exe -> Backdoor.Agobot : Cleaned with backup
C:\oijgivaf.exe -> Backdoor.Agobot : Cleaned with backup
C:\orehzdsi.exe -> Backdoor.Agobot : Cleaned with backup
C:\ouxyicxp.exe -> Backdoor.Agobot : Cleaned with backup
C:\owlbskee.exe -> Backdoor.Agobot : Cleaned with backup
C:\pgzozkvu.exe -> Backdoor.Agobot : Cleaned with backup
C:\pzakkhmg.exe -> Backdoor.Agobot : Cleaned with backup
C:\qgzzswie.exe -> Backdoor.Agobot : Cleaned with backup
C:\rgcyjbth.exe -> Backdoor.Agobot : Cleaned with backup
C:\rtswvtqp.exe -> Backdoor.Agobot : Cleaned with backup
C:\rwdqwkbx.exe -> Backdoor.Agobot : Cleaned with backup
C:\sbldentz.exe -> Backdoor.Agobot : Cleaned with backup
C:\sbwxpyho.exe -> Backdoor.Agobot : Cleaned with backup
C:\sltbnajp.exe -> Backdoor.Agobot : Cleaned with backup
C:\sqqihyuw.exe -> Backdoor.Agobot : Cleaned with backup
C:\ukvewzjk.exe -> Backdoor.Agobot : Cleaned with backup
C:\vpiwrqqb.exe -> Backdoor.Agobot : Cleaned with backup
C:\vpympams.exe -> Backdoor.Agobot : Cleaned with backup
C:\vyxmwpsj.exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2W0ZRZDZ\bot[1].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2W0ZRZDZ\bot[2].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IBW3338Z\bot[1].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IBW3338Z\bot[3].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NLN3284A\bot[2].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z7XN50EO\bot[1].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z7XN50EO\bot[2].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z7XN50EO\bot[3].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z7XN50EO\bot[5].exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\rundll32.com -> Backdoor.Agobot : Cleaned with backup
C:\xvrkjizs.exe -> Backdoor.Agobot : Cleaned with backup
C:\xzmdsrvn.exe -> Backdoor.Agobot : Cleaned with backup
C:\yuxzgpfz.exe -> Backdoor.Agobot : Cleaned with backup
C:\zsophrxb.exe -> Backdoor.Agobot : Cleaned with backup
C:\zyudkfvq.exe -> Backdoor.Agobot : Cleaned with backup

::Report End

#81
Michelle

Posted 14 July 2005 - 09:53 PM

Malware Removal Goddess

Retired Staff
8,928 posts

No wonder you're still having problems! You picked up A LOT of worms the last few days. You only have Service Pack 1 on your system, so you need to be very careful surfing the Internet, so we can actually get it clean so you can download Service Pack 2 and some protection programs. If you continue to surf the Internet as usual you will continue to pick up infections and we will never be done here.

The Worms are nasty so I need you to run BOTH of these virus scans (not at the same time)

Run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here.

Run this one also, but there is no need to save the log, I will be able to tell whether or not it was run, so I highly recommend doing so :tazz:

TrendMicro's HouseCall - check "Auto Clean"

#82
Flagler23

Posted 15 July 2005 - 10:30 AM

Member

Topic Starter
Member
77 posts

ok got both those scans done.
heres the first scan u wanted. thanks alot!!

Incident Status Location

Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/PopCapLoader No disinfected C:\Documents and Settings\JP Clark\Desktop\Clean Up\backups\backup-20050706-183552-124.inf
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts

#83
Michelle

Posted 15 July 2005 - 10:36 AM

Malware Removal Goddess

Retired Staff
8,928 posts

How old is Norton?

#84
Flagler23

Posted 15 July 2005 - 10:38 AM

Member

Topic Starter
Member
77 posts

not very old - probably got it like a month ago.

#85
Michelle

Posted 15 July 2005 - 10:41 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Ok, have you updated it recently and done a full system scan? If not I recommend doing so.

I also need you to locate this file:

C:\WINDOWS\System32\18E3C9DF74.sys

Right click on it and choose "Send to > Compressed (zipped) folder" It will create a zipped folder inside the system32 folder. Then I need you to delete the unzipped 18E3C9DF74.sys

Still getting pop-ups?

#86
Flagler23

Posted 15 July 2005 - 10:46 AM

Member

Topic Starter
Member
77 posts

ok. it seems like its working fine.

#87
Michelle

Posted 15 July 2005 - 10:48 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Hopefully we got the last of it :tazz:

Please post one more HiJackThis log for me to check out then after that I strongly, strongly recommend downloading Service Pack 2 otherwise it will only be a couple of days at most and you'll be back with your system highly infected again.

#88
Flagler23

Posted 15 July 2005 - 10:53 AM

Member

Topic Starter
Member
77 posts

how do i get service pack 2? what is it? im not sure if i have norton anymore - i dont think i have it. what should i use , ewido ? should i get rid of spysweeper or just keep shutting it down each time i get on?

Logfile of HijackThis v1.99.1
Scan saved at 12:51:25 PM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Documents and Settings\JP Clark\Desktop\Clean Up\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113958217972
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#89
Michelle

Posted 15 July 2005 - 11:09 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Your log looks fine :tazz:

However, it is infact still showing that you have Symantec anti-virus. If you don't think you have it anymore, then I don't think it's doing it's job.

Please download AVG anti-virus. It's free and it works great. After it's downloaded, disconnect from the Internet, but don't install it yet.

Then, I need you to go to Start > Control Panel > Add or Remove Programs and remove anything that says "Symantec" or "Norton".

After it has been removed, reboot your computer and install AVG.

Service Pack 2 is an extremely important security update for XP. After installing AVG, Go to http://www.microsoft.com click on "Windows Update" on the left the click "Express Install" - install all the available security updates for your computer.

There is no need to keep shutting down SpySweeper. That was only for the purpose of cleaning your log incase it interfered. After this is done, post a new HiJackThis log for me and if any traces of Norton are left, we'll get rid of it, then I will give you the recommendations on prevention programs.