Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hclean32.exe Detection

Started by RILouis , Oct 04 2005 12:40 AM

  • This topic is locked This topic is locked

#1
RILouis
Posted 04 October 2005 - 12:40 AM

RILouis

    New Member

  • Member
  • Pip
  • 8 posts
Awesome site! I followed some of the recommendations by running "ad-aware 6" and "ewido" to attempt to clean the problem. These programs were successful in removing over 400 spyware and trojan files combined. However, this "hclean32.exe" notice still tends to pop up via Norton Anti Virus. Also, I do not know if this is related as well, but there are some files that I can not delete from my recycle bin and desktop (item on the desktop is not open - were temporary files in a folder). The HijackThis file is below. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:05:05 AM, on 10/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Reggie Louis\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmehf.exe] C:\WINDOWS\System32\dmehf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dnkn.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124602561517
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 04 October 2005 - 05:10 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Reggie and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Hclean32.exe is normally associated with Wareout rootkit, so we can start that process. Let’s see what we can do with the first sweep.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable Ewido Guard from running during the fix, it may just hinder our attempts to change anything. Open Ewido and deselect the Guard option.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [dmehf.exe] C:\WINDOWS\System32\dmehf.exe
O4 - Global Startup: dnkn.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\System32\dmehf.exe
dnkn.exeuse search to find thid file

Close Windows Explorer and Reboot normally

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner.

Download CCleaner

Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Please download and run Silent Runners

* Please right click this link and choose save (link) as to download:Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#3
RILouis
Posted 04 October 2005 - 04:49 PM

RILouis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for the immediate attention to my dilemma. This post includes two sections. There were some files that CCleaner could not fix. It attempts to delete them, returns a message that it was done, however, if the scan is executed again, it returns the log i have posted. the problem files are in my recycle bin and on the desktop. I have posted that log in addition to the Silent Runners log. See Below

*******************************************************************
CCleaner Log
*******************************************************************

ANALYSIS COMPLETE - (0.170 secs)
------------------------------------------------------------------------------------------
14.2MB to be removed. (Approximate size)


Details of files to be deleted (Note: No files have been deleted yet)
------------------------------------------------------------------------------------------
IE Temporary Internet Files (5 files) 0 bytes
Emptied Recycle Bin (2 files) 14.2MB
------------------------------------------------------------------------------------------



*******************************************************************
Silent Runners Log
*******************************************************************
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"00THotkey" = "C:\WINDOWS\System32\00THotkey.exe" ["TOSHIBA Corp."]
"000StTHK" = "000StTHK.exe" [null data]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"LtMoh" = "C:\Program Files\ltmoh\Ltmoh.exe" ["Agere Systems"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"PmProxy" = "C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" ["adi"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]
"TFNF5" = "TFNF5.exe" ["Toshiba Corp."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"Pinger" = "c:\toshiba\ivp\ism\pinger.exe /run" ["TOSHIBA Corporation"]
"ACUMon" = ""C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a" ["Cisco Systems, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"STOPzilla" = "C:\Program Files\STOPzilla!\STOPzilla.exe /autostart" ["International Software Systems Solutions"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{E3215F20-3212-11D6-9F8B-00D0B743919D}\(Default) = "STOPzilla Browser Helper Object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\STOPzilla!\SZIEBHO.dll" ["International Software Systems Solutions"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! STOPzilla\DLLName = "IS3WLHandler.dll" ["ISSS Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
gfnfkmny\(Default) = "{3b45a7cf-2b35-4d46-a272-34949e017df7}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\gfefk.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Reggie Louis" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.toshiba.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\System32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
STOPzilla Service, szserver, "C:\Program Files\Common Files\STOPzilla!\SZServer.exe" [empty string]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 69 seconds, including 18 seconds for message boxes)
  • 0

#4
Crustyoldbloke
Posted 04 October 2005 - 05:33 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
OK, that's fine. Please continue.

Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt

  • 0

#5
RILouis
Posted 04 October 2005 - 08:36 PM

RILouis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here you go! I really appreciate the assistance so far! Thx -- Here's the log.



C:\Documents and Settings\Reggie Louis\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
  • 0

#6
Crustyoldbloke
Posted 05 October 2005 - 02:14 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Reggie

It was a bit of a surprise that no bad files were found with that last scan. Are you sure you followed the instructions correctly? If so, let's continue.

• Please download the Killbox by Option^Explicit.* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\System32\gfefk.dll
C:\WINDOWS\System32\hclean32.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.
After reboot, post a new HiJackThis log here.
  • 0

#7
RILouis
Posted 05 October 2005 - 10:32 PM

RILouis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
"KillBox" execution complete. Again, your assistance is greatly appreciated. There are still some files in my recycle bin and desktop that can not be deleted. They are some temporary files that were created, I think, after I ran fixware prior to conversing with you. However, I have not had that annoying notification of by "hclean32.exe". When I try to delete that folder from the desktop or recycle bin, the following is displayed:
-----------------------------------------------------------------------------------------------
Cannot delete @ Top [1]: Cannot find specified file.
Make sure you specify the correct path and file name.
-----------------------------------------------------------------------------------------------

Where do I go from here? Thx
  • 0

#8
Crustyoldbloke
Posted 06 October 2005 - 03:17 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Reggie

Just about everyone using NAV has problems with it; I really don't know why it is such a big brand. The only thing I like about it is uninstalling it :tazz:

My understanding of the function of the Norton Protected Recycle Bin (NPRB) is to save all the files you try to delete normally, just in case you ever want them.

Everything I've read tells me that you can choose to have this function enabled or disabled. I believe that this follows on from the Norton Control Function normally found in your taskbar i.e.

According to Symantec, this is how you delete the files within.

Reboot into safe mode

To empty the Norton Protected Recycle Bin

1. On your desktop, right-click the Norton Protected Recycle Bin, and then click Properties.
2. On the Recycle Bin tab, in the Title field, change the text to "Recycle Bin."
3. On the Norton Protection tab, uncheck Enable protection.
4. Click Empty Protected Files.
5. Click Purge All.
6. Click OK.

Any better?

Can I see a fresh HJT log please?
  • 0

#9
RILouis
Posted 10 October 2005 - 10:32 AM

RILouis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Greetings Again my PC Master!

I apologize for the delay but I tried the last post but I did not see the Norton Protected Recycle Bin...I thought you were maybe refering to the normal recycle bin but the tabs did not match. Any suggections?

Thanks.
Reggie
  • 0

#10
Crustyoldbloke
Posted 10 October 2005 - 11:26 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Reggie

I'm not even sure I understand what you want me to do.

If I am understanding you correctly, you have a folder on your desktop that doesn't want to go and some files in a recycle bin that are also being stubborn.

I suggest trying to remedy the situation in safe mode so only a few processes are started.

Next I suggest checking your OS for flaws:

Run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the programme, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.
Any better?
  • 0

#11
RILouis
Posted 13 October 2005 - 05:05 PM

RILouis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Good Day!

I successfully completed the process that was last indicate4d but I still can not delete the files. Also, I have a new trojan NAV has deteced: "C:\WINDOWS\system32\dmwtl.exe" Do you recommend a new virus protection software? Here is the HJT file below:


Logfile of HijackThis v1.99.1
Scan saved at 5:57:23 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124602561517
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
  • 0

#12
Crustyoldbloke
Posted 13 October 2005 - 05:58 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Reggie

Please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Please visit Kaspersky for an online scan. Please post the report in your reply.

How are things now?

Edited by Crustyoldbloke, 13 October 2005 - 06:01 PM.

  • 0

#13
RILouis
Posted 14 October 2005 - 08:28 PM

RILouis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello!

Good News, I was able to remove the desktop items and the items in the recycle bib but here are the results from the Kaspersky On-line Scan:



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, October 14, 2005 21:24:59
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/10/2005
Kaspersky Anti-Virus database records: 144877
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76866
Number of viruses found: 14
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 9236 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\099F22A7.exe Infected: Trojan-Downloader.Win32.Small.akz
C:\Program Files\Norton AntiVirus\Quarantine\099F22A7.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\09A8209C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\238B25E1.exe Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton AntiVirus\Quarantine\2A62339C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2D2C58CB Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\30052165 Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton AntiVirus\Quarantine\30084B62 Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton AntiVirus\Quarantine\300C755E Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton AntiVirus\Quarantine\395B7C02.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\3B5567D5.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\3C5008C1.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\3DC61677.exe Infected: Backdoor.Win32.Agent.mo
C:\Program Files\Norton AntiVirus\Quarantine\3E5566F7.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\58F5553C.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\58F5553C.tmp Infected: Trojan-Downloader.VBS.Psyme.v
C:\Program Files\Norton AntiVirus\Quarantine\591C4D11.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\593372F8.tmp Infected: Trojan-Downloader.VBS.Psyme.v
C:\Program Files\Norton AntiVirus\Quarantine\59401AEA.tmp Infected: Trojan-Downloader.VBS.Psyme.v
C:\Program Files\Norton AntiVirus\Quarantine\594D42DB.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\597110B4.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\59E02439.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\5FC81616 Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton AntiVirus\Quarantine\647A6F96 Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton AntiVirus\Quarantine\7B6E658E Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\7B753986 Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\7D217956.htm Infected: Exploit.HTML.Mht
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected: Trojan-Downloader.Win32.Small.bem
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP108\A0052838.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP108\A0052847.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP109\A0053072.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP109\A0053073.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP109\A0053137.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP109\A0053163.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP126\A0055466.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP127\A0055590.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP130\A0056607.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP131\A0057577.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP133\A0059748.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab

Scan process completed.
  • 0

#14
Crustyoldbloke
Posted 15 October 2005 - 02:52 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Reggie

Glad to see that we are winning.

The Kaspersky log has highlighted the quarantine area and restore point. Please go ahead and empty the Norton quarantine folder, although they are not in play on your PC. The restore points are going to be deleted shortly as a matter of routine. The others mentioned I have copied into Killbox simply because Kaspersky doesn't tell me that they have been deleted although I suspect that they have. That fourth one looks suspect to me.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\GSM3-0511.exe/data0002
C:\WINDOWS\system32\GSM3-0511.exe/data0003
C:\WINDOWS\system32\GSM3-0511.exe
C:\WINDOWS\system32\i

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

How is everything now? Any further problems?


"Edit,
As there has been no reply from the original poster this topic is now closed,
Should you have any further problems please create a new Topic,

Thanks "

Edited by Crustyoldbloke, 25 October 2005 - 02:52 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP