Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanDownloader:Win32/Purstiu.A... please help [RESOLVED]


  • This topic is locked This topic is locked

#1
d9rkn1ght

d9rkn1ght

    New Member

  • Member
  • Pip
  • 7 posts
whenever i open up some of my folders, after awhile, the microsoft error report thing pops up and tells me to send a report. after doing so, they tell me that TrojanDownloader:Win32/Purstiu.A is messing with my computer and to download the malicious software removal tool... and after that fails, i have no idea where to start...
here is my log though... and any help will be much appreciated :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:11 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Tran\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - Global Startup: Motorola Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

I don't see anything suspicious here.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#3
d9rkn1ght

d9rkn1ght

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thank you very much for replying ^_^
here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:35:21 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Tran\Desktop\AntiVirus [bleep]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Motorola Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

its weird though because this is my ewido log...

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:32:17 PM, 9/19/2005
+ Report-Checksum: 8D60CE55

+ Scan result:

No infected objects found.


::Report End

i have no idea -_- and the same problem as before keeps on occurring. any ideas?

well also, the thing is, ive been running all sorts of programs and got rid of alotta stuff already, but this trojan is still there... so yea i donno wut to do... please leave a post if you have any ideas

Edited by d9rkn1ght, 20 September 2005 - 03:21 PM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

OK, I want you to run the below 3 scans. When you are done with all of them, give me the logs for Panda and mwav.

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

  • 0

#5
d9rkn1ght

d9rkn1ght

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello and thanks once again ^_^
i did the panda scanner and it came up nothing found, so i didnt find it necessary to copy the log... but here is the MWAV log... pleave have a look and thanks for your time ^_^

Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\stlport_vc746.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxinsa64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxinsi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpya64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpyi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Motorola Wireless USB Adapter" refers to invalid object "C:\Program Files\Motorola Wireless\WU830G USB Adapter\Motorola Wireless USB Adapter". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE" refers to invalid object "C:\WINDOWS\ORUN32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Intel\ProSafe\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\Application Data\Jasc Software Inc\Paint Shop Pro Studio\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\Application Data\Jasc Software Inc\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\MyWaySA\SrchAsDe\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\MyWaySA\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".c00". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jsf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".nes". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ocm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sfv". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".smc". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AOL Connectivity Services". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AOLCoach". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Kazaa Lite Resurrection_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "M886903". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SymSetupTemp.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{4E9C3F2D-C654-453E-B1AD-9F231905A50D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{73819BA2-2E8B-430B-A6C9-0D89657DC865}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{78D944D7-A97B-4004-AB0A-B5AD06839940}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7BF7B688-4A95-4003-BA98-EA8A79DA0ABA}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{9C2EDC9C-EF3B-443A-BB2C-3488DAC7247E}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A27F2A64-3D23-4449-B395-75335CED458E}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E8D25E54-D172-4FB0-929B-48D51E2E9C6D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{FB015BB0-5518-4767-9DE4-F9A5C7C62E46}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00014C0D-B007-4448-B89B-4EC3E857961D}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09E6F477-C3C3-4636-8BFD-2DDB36147FEC}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C5D39B0-460B-11D4-ADE1-0050DACD3DB9}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\MMRadioEngine.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0FE9096F-7F7A-4e40-857C-E48A53440DFE}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{10F34E64-BBB2-11D6-8A17-00E029570A3E}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\sa.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\PATHFI~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{18477169-4752-41DC-AB0F-C50EBA75641D}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPWz.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1853e19a-4e54-4190-8deb-2e1cc947cd60}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\axtrack.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1CB749C0-81EC-484E-B82C-ADD141FC6415}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\xanthe.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1EF2E5CB-646F-4F85-A355-8E328652CA60}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2294C466-0D91-4689-9762-C1E92CF079BB}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\SkinMgr.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78d5-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78df-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78e0-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78e1-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78e2-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{23AA6EBC-86AA-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{23AA6EBD-86AA-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{27855D52-0913-4F88-A8CC-343D374E7CC9}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2BAE89B0-68EF-4fab-AFF7-1E486D93F9EB}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\ae.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{399CB6C4-7312-11D2-B4D9-00105A0422DF}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\HHACTI~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C2889D4-F0F6-41C0-A50D-34F2136E761C}" refers to invalid object "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_director.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E97BE17-3300-4A4F-B380-5988DD771F1F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\ares.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5145942E-41DF-4658-B7C4-089F48E84A75}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\axtrack.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}" refers to invalid object "C:\PROGRA~1\TROJAN~1\Trshlex.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{54D9498B-CF93-414F-8984-8CE7FDE0D391}" refers to invalid object "C:\Program Files\ewido\security suite\shellhook.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\cerberus.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{57C368A7-F2E9-48C6-B0E2-C201751383C1}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{61E15DE7-D229-4eb3-A460-40DCDDA60DA7}" refers to invalid object "C:\Program Files\America Online 9.0\abui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{63435828-E10D-42d5-8859-C94796B7C22D}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{639A19DD-1D97-4A6E-A0D1-01E04FED563F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6AD3B5BD-9A96-4ca2-9455-2034D05EB134}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6B58B5DC-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6B58B5DD-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6B58B5E0-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6B58B5E1-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6B58B5E4-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6B58B5E5-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6E9DBE43-5233-49A3-AB96-A9353EB9AB6D}" refers to invalid object "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_director.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}" refers to invalid object "C:\Program Files\Common Files\aolshare\Coach\coachdm3.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7C9688C3-7279-474D-ABA5-A632373D2CDB}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{84268CDA-5AE9-409C-94E9-B6FEB4B5A123}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~3.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8AB5F344-B600-11D6-8A15-00E029570A3E}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\sa.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~3.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{959F94FD-DD1E-11D2-B559-00105A0422DF}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\HHACTI~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9824EE63-01DC-11D0-9BEA-00A0246FD2EF}" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPUPF.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9F62797E-1249-4596-9FF7-AC6D851A542A}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A105BD70-BF56-4D10-BC91-41C88321F47C}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A8ABE123-FAC4-41c1-ABA3-051B6F112B83}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~3.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ADC4FE5F-9ACA-4551-8AD1-7B1DEF9D6BE8}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AED456C4-4866-4420-863F-35767EBED514}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B036FBCB-F307-4A50-81EF-4C569146CEE0}" refers to invalid object "C:\Program Files\Common Files\SWF Studio\Plugins2\INIFile.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B3E7BCF9-05C8-4233-BA88-37FDA4AD3147}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B4F80028-5714-4B7B-B9B1-5748B204799A}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B5DE6AA8-A94F-4369-93ED-77307026FDF1}" refers to invalid object "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_director.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B617F87F-1856-43BC-ADEB-C43922F7A575}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B9F3009B-976B-41C4-A992-229DCCF3367C}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\axtrack.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBE1C463-3DBE-4b29-976B-E1C75AFE1EDF}" refers to invalid object "C:\Program Files\Musicmatch\MUSICMATCH Music Services\MMDRMCtrlObj.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C3DB19A6-D5A2-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CE0E7204-D82C-4273-8A70-919963F4CFE0}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D18BDF80-08FE-48D7-89EC-738C0E42C973}" refers to invalid object "C:\Program Files\Common Files\SWF Studio\Plugins2\FileSys2.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D326DC3B-8ADF-456A-B1B7-8A9E37704C60}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D465B936-C361-4417-9AC5-35167066F84B}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D670D0B3-05AB-4115-9F87-D983EF1AC747}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9F99C6B-A3A6-11D4-AF64-444553546170}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DA3C177A-D1DA-47f2-BBF0-E9710CA7253F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~4.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E3852604-B619-11d6-94EC-00047521F020}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\nmpxchat\nmpxchat.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E981D791-F499-4837-A483-5AB22F1C548F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EFAC012B-2A65-4D0B-9237-ADBADD94DFE9}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F0FDBF9F-63BF-4BFB-A3DB-E7B7FCF3F7DE}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\directorps.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F1DD8F2C-1A49-40F0-9649-ACB3AB7AF86A}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F8A9E1FD-7DCD-4be8-B510-7CBB849364AB}" refers to invalid object "C:\Program Files\Intuit\QuickBooks 2005\TerminalDownloadTool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FB215E25-F536-4B36-8262-ECF59601FAC1}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~3\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{00A987AE-587B-4343-B826-89F17AB41A03}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\MYCALE~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{06645894-E73C-413B-8704-71823A9C39B5}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\cerberus.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{0B54F548-639F-462F-BCDE-9557B8AB378F}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~4.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{0C5D39A3-460B-11D4-ADE1-0050DACD3DB9}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\MMRadioEngine.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{16D8D842-6E64-489F-99BB-D6CEF503A74E}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\xanthe.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1B8B281E-F67E-4212-8D3B-C98B8AE18DA4}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{229B78B8-38F5-11D5-9001-00C04F4C3B9F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\CDDBCO~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{296802FE-345A-4CA4-B941-692B8622CC69}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\axtrack.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2ACBD496-FD2D-43CF-8870-F349AC57307B}" refers to invalid object "C:\Program Files\Musicmatch\MUSICMATCH Music Services\MMDRMCtrlObj.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{307DE02D-679A-49B9-B582-6E623BE9386F}" refers to invalid object "C:\Program Files\Common Files\aolshare\Coach\coachdm3.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{399CB6B4-7312-11D2-B4D9-00105A0422DF}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\HHActiveX.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0}" refers to invalid object "C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3F8E02B4-6601-41A2-95E7-6BD102935C55}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\phobos.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{57B2FD05-64D4-4AD7-A92A-7C32FE50A0F4}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPUPF.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}" refers to invalid object "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{621362CD-2185-4C26-9803-F9613C3BAE5E}" refers to invalid object "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_director.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{64E26A20-8A9E-4B33-9F8D-F3663F13811E}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPWz.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{6B58B5D9-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{79C10055-C1B5-4754-AC44-003784AA3A44}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~3.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{88444512-4C4A-484A-B730-B83E51305800}" refers to invalid object "C:\Program Files\Common Files\SWF Studio\Plugins2\INIFile.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8D66A700-5DF0-4706-9ACA-FEB467A7A853}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\ares.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{AB99CA0B-498E-4938-862C-F0CEC262EA69}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\SkinMgr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{BFF38E2D-B1D9-48F9-B11D-4F8A150F1C84}" refers to invalid object "C:\Program Files\Musicmatch\Musicmatch Jukebox\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C29F0A7C-64E9-4345-A15A-EBCB89E54784}" refers to invalid object "C:\Program Files\Intuit\QuickBooks 2005\TerminalDownloadTool.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{CC491105-58FA-437F-A1CE-CC947B6AFE4F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\ae.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DA2FAE70-6518-4700-A264-3500A380F695}" refers to invalid object "C:\Program Files\America Online 9.0\abui.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DCCAF17F-7581-4C86-9867-56D9405FAC3F}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\PATHFI~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{E3852602-B619-11D6-94EC-00047521F020}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\media\nmpxchat\nmpxchat.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{ECAD18F1-CA65-11D6-8A1B-00E029570A3E}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\sa.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{F0BBAC1E-889D-4961-AA6B-FFC2A07EEFA8}" refers to invalid object "C:\Program Files\Common Files\SWF Studio\Plugins2\FileSys2.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{F8209D9F-D73B-49D5-BD13-055CA660B815}" refers to invalid object "C:\Program Files\ewido\security suite\shellhook.dll". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AOLCoach.TrainerOCXCtrl.10" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\CoachDM.WebCoachDownload" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\CoachDM.WebCoachDownload.1" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\Collection\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\GZipTar-Archiv\shell\open\command" refers to invalid object ""C:\Program Files\WinAce\WinAce.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\JascPaintShopPhotoAlbumAudio\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\JascPaintShopPhotoAlbumFolder\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\JascPaintShopPhotoAlbumImage\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\JascPaintShopPhotoAlbumProject\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\JascPaintShopPhotoAlbumUploadAlbum\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\Javasoft Archiv\shell\open\command" refers to invalid object ""C:\Program Files\WinAce\WinAce.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\Keyword\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\Lzh-Archiv\shell\open\command" refers to invalid object ""C:\Program Files\WinAce\WinAce.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MiniBugTransporter.MiniBugTransporterX" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.
Entry "HKCR\MiniBugTransporter.MiniBugTransporterX.1" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.
Entry "HKCR\MMJB.BPP\shell\open\command" refers to invalid object ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\MMJB.MMO\shell\open\command" refers to invalid object ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\MMJB.MMZ\shell\open\command" refers to invalid object ""C:\Program Files\Musicmatch\Musicmatch Jukebox\ti.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\Panorama\shell\open\command" refers to invalid object "C:\PROGRA~1\JASCSO~1\PAINTS~2\pspa.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\torrent_auto_file\shell\open\command" refers to invalid object ""C:\Program Files\Arctic\arctic.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\UUEncoded-Archiv\shell\open\command" refers to invalid object ""C:\Program Files\WinAce\WinAce.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\Zoo-Archiv\shell\open\command" refers to invalid object ""C:\Program Files\WinAce\WinAce.exe" "%1"". Action Taken: No Action Taken.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Nothing there either. Not sure how we will remove this. You sure it's not a false positive? You said Windows actually tells you that you have this trojan and not your antivirus program?

You can download and scan with the free 30-day trial of Trojan Remover:
http://www.simplysup...r/download.html

Try that out...
  • 0

#7
d9rkn1ght

d9rkn1ght

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
okies i guess that means im screwed... i ran the program and no malicious files were detected... but this is the Windows Explorer message that i get when i open my folder:

Windows Explorer
Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.
We have created an error report that you can send to help us improve Windows Explorer. We will treat this report as confidential and anonymous.

Blah blah blah... send error report...

Thank you for taking the time to report this problem. Please follow the link below...

then, this is the link's message:
Virus alert: A virus has been detected on your computer

Thank you for submitting an error report.

Problem description

The error was likely caused by:

TrojanDownloader:Win32/Purstiu.A

Solution

A solution is available. To remove TrojanDownloader:Win32/Purstiu.A, Microsoft recommends that you download the Malicious Software Removal Tool. Click the following link for more information about this tool.

after that the folder closes...
well if you cant think of anything to save me :tazz: its all right and thank you for your time and efforts ^_^

o also i get a few dr watson error windows similar to the windows explorer errors... i donno if they might be a problem, but any information at this point may help right? ^_^

Edited by d9rkn1ght, 21 September 2005 - 06:10 PM.

  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, since you get Dr watson error also, see if this program detects anything:

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

If not, it looks like XP SP2 has to go. You might have to downgrade to SP1a and get the regular updates (just not SP2). That should fix up the dr watson error. See if that fixes up the "trojan" error also.
  • 0

#9
d9rkn1ght

d9rkn1ght

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for all of your help, but i had already sent my computer to my friend and he solved the problem for me... sorry for inconveniencing you... but really thanks for all your help ^_^ :tazz:
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP