Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hostbank Trojan [RESOLVED]

Started by brad656 , Mar 22 2006 07:43 PM

  • This topic is locked This topic is locked

#1
brad656
Posted 22 March 2006 - 07:43 PM

brad656

    Member

  • Member
  • PipPip
  • 38 posts
Does anyone know how to get rid of a HostBank trojan?

According to my A-Squared HiJackFree, I have a NetVision Dialer attached to my QuicktimeTask Program.
Any ideas on how to get rid of it?

Acording to my A-Squared HijackFree scan, I have an AKHER. D worm, a REATLE worm, an RBOT L-J worm, and an OBSORB trojan attached to my Norton Antivirus.
Any ideas on how to get rid of them?

According to a scan of my programs done by my A-Squared HiJackFree tool, I have several 'bad' programs attached to my Windows Messenger service--which I tried to delete altogether (didn't work).
There are several bad files added by:
Small-EW Trojan
DLOADER-LN or ZLOB-C or ZLOBDROP-C Trojans
ZHOPA Trojan
Zlob.B Trojan
HostBank Trojan
AGOBOT-NL worm
and SDBOT-ZB worm
Can anyone help me get them off?
  • 0

Advertisements

#2
Flrman1
Posted 23 March 2006 - 03:38 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi Brad,

Last night you started 4 seperate topics about this same issue within ten minutes. The other three have been closed. Please abide by the forum rules. Do not start multiple topics about the same problem.

Now please do this:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
brad656
Posted 23 March 2006 - 06:00 PM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
My posts were not about the same issue. That's what I'm trying to say. I had one post that was about a general query--whether or not I actually had malware on my computer--as I have a program on my computer that tells me that I have a lot of bugs and worms and viruses and trojans connected to legitimate programs. I have already done what you've suggested (downloading HiJackThis) and have spoken with a malware expert. We fized some stuff and he said I was clean. The problem was: my program still tells me I have problems, so I need to know if that program was correct in it's assessment (despite other assessments coming up nil), and if I should take further action.
Since I posted this issue three different times, no one having replied, I figured I might as well post individual queries on the individual bugs that my program reports, to see if there was a fix that applied to me, to see if I actually had a problem.
I was unaware of any forum rules that said I couldn't have more than one post within a time limit. Excuse me. I'm just trying to find if I have a real problem or not, I'm not trying to fix problems at this point, because I don't know if there's a problem.
When I did have identifiable problems, the malware forum was very helpful. But this is not yet a malware issue. I don't think. That's precisely what I needed to know.
But I've just gotten help from another person on this topic. Thank you for your help, however, and I assure you I will limit my posts from now on.

Edited by brad656, 23 March 2006 - 06:02 PM.

  • 0

#4
Flrman1
Posted 24 March 2006 - 10:06 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
I'm going to repeat this here for you:

http://www.geekstogo...pic=104153&st=0

This is your final warning. DO NOT start another new topic regarding this matter!. I asked you to post this Hijack This log in the other topic you had after warning you about starting multiple topics. You made excuses as to why you didn't really start multiple topics about the same problem and as to why you didn't really need to post a new Hijack This log too! Now you have gone and started another new topic with the Hijack This log that I asked you to post in the other topic even after being warned! You just don't get it do you?

Either post your Hijack This log in this topic as I asked you to or go elsewhere for help. Again, DO NOT start another new topic about this!
  • 0

#5
brad656
Posted 24 March 2006 - 11:40 AM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Quite literally, I don't get it. I'm sorry for creating multiple posts. I am new to Geekstogo and I thought I was doing perfectly fine. I created that last post because I was told to post a new HJT Log in the malware section.
I know you've explained the rules to me a few times. I just didn't think I was breaking the rules, especially with that last post. This is just a misunderstanding. Really. What I was trying to explain was not that I was trying to fix problems, but to see if the program that tells me I have problems was a reliable one. I didn't think that was a malware issue. I started individual posts on individual viruses only to verify if my A-Squared program (which started this hub-bub in the first place) was telling me falsities. While I was talking to you about this, someone else was helping me with the issue. I tried once to reply to your warning, to explain that this was all a misunderstanding, but instead of clicking 'reply' I pressed 'New Topic'. Then I returned to this forum to post that reply here. In that time, the person helping me referred me to the malware section where he said I should post I HJT log just in case. I thought that this thread would be closed because I told you that I had help elsewhere. Then I post the HJT log in malware. I'm very sorry for making multiple posts. Excuse me. It will never happen again.
I thought this thread would be terminated, as I would start a new thread in malware, after being redirected there by someone who was of great help.
I apologize again.

But now I'm confused. Do I post a HJT log here? I was also told to post my last HJT logs in malware with my latest one. So, assuming that I am to post here, here that is:


I've been to malware before, but my A-Squared keeps telling me i'm still infected, and I often get weird, unintelligable pop-ups.
Do I have anything wrong with my computer? please help me!
Should I be creating Hijackthis logs from safemode or regular? This is from regular:


Logfile of HijackThis v1.99.1
Scan saved at 8:37:08 AM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/index.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall....ivex/hcImpl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Here's a copy of my last HJT logs:
http://www.geekstogo...ndpost&p=598897


Thanks for your help. i'm sorry for causing you any stress.
  • 0

#6
Flrman1
Posted 24 March 2006 - 01:27 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
I don't see anything in your Hijack This log so please do the following:

* Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.


* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Post a new HiJackThis log along with the results from ActiveScan and the Hijack This Uninstall Manager list in this topic.
  • 0

#7
brad656
Posted 24 March 2006 - 02:49 PM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
OKay.
Here is the Uninstall list:
Ad-Aware SE Personal
Adobe Reader 6.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Spyware Protection
AOL Toolbar
a-squared Personal 1.6.5
BigFix
Canon PhotoRecord
Canon PIXMA iP3000
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
ccCommon
CCleaner (remove only)
Citrix ICA Web Client
Corel Uninstaller
Digital Media Reader
Easy-WebPrint
ewido anti-malware
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Adapters and Drivers
Internet Worm Protection
iPod for Windows 2005-10-12
iPod for Windows 2005-11-17
iPod Updater 2004-08-06
iTunes
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LimeWire 4.9.28
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Picture It! Photo Premium 9
Microsoft Works
Mozilla (1.7.5)
Multimedia Keyboard Driver
NAVShortcut
Nero BurnRights
Nero OEM
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
oobeFlagNetscape0
PowerDVD
Pure Networks Port Magic
QuickTax 2004
QuickTax 2005
QuickTax Tracker
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Retirement Income Planner
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SoftV92 Data Fax Modem with SmartCP
SPBBC
Spybot - Search & Destroy 1.4
Symantec
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
World Poker Championship (remove only)
  • 0

#8
brad656
Posted 24 March 2006 - 03:16 PM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Problem:
Panda doesn't have a 'save report' button.
Not no way, not no how.
It doesn't show any threats though...
here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:16:25 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/index.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall....ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#9
Flrman1
Posted 24 March 2006 - 06:52 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Tell me exactly what a-sqared is finding and where.
  • 0

#10
Flrman1
Posted 24 March 2006 - 06:54 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Go to Add/Remove programs and uninstall these:

Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player


* Now go here and install the latest version of Java.


* Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


* Run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

Advertisements

#11
brad656
Posted 24 March 2006 - 08:08 PM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
These findings are from A-Squared's HiJackFree feature.
I might be able to show you them first with a link. However, it may have information on it that it would be better if I kept off of an internet forum. Is there any way I could get it to you discretely? Or is this enough?:

These bad programs are attached to clusters of good programs and usually share the same command as their good counterparts.

Name: NeroFilterCheck
Path: C:\WINDOWS\system32\NeroCheck.exe
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Connected to Nerofiltercheck, are:
sharing the nerocheck.exe command, a program added by the PROXY-X trojan
a program named Scheduler, also sharing the same command, added by the TACTSLAY.B troajn


Name: QuickTime Task
Path: C:\Program Files\QuickTime\qttask.exe -atboottime
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Attached to three programs listed as 'good'--QuickTimeTask programs--are:
A program named QuickTime Task, sharing the same command: qttasks.exe--apparently a CoolWebSearch parasite variant
A program named Quicktime Task , having this as a command: [random filename]--apparently a NetVision dialer

Name: ccApp
Path: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Attached to some Norton service:

A program named Norton Auto-Protect, with the command "ccApp.exe"--added by the AKHER.D WORM
A program named Symantec, with the command "ccapp.exe"-- added by the REATLE WORM
A program named Symantec Service, command: ccApp.exe-- added by the AKHER.D WORM
A program named ccApp, command:[random filename]-- added by the OBSORB TROJAN
A program named ccApp, command: WMADZ.EXE--Added by the RBOT-LJ WORM
A program named ccApp, command: .EXE Added by the RBOT-LJ WORM
A program named ccApp, command: gcasServ.exe Added by a variant of the RBOT WORM

Name: MSMSGS
Path: C:\Program Files\Messenger\msmsgs.exe /background
Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Attached to a windows messenger utility namedMSMSG, command: msmsgs.exe are:
A program named MSMsgs, command: msmessgs.exe-- Added by the SMALL-EW TROJAN
A program named MSN Messenger, command: msmsgs.exe--Added by the DLOADER-LN or ZLOB-C or ZLOBDROP-C TROJANS--beside this says: Note - this particular msmsgs.exe file is located in the Windows\System32 or Winnt\System32 folder, and should not be mistaken for the MSN Messenger file of the same name
A program named MSN Messenger, command: msmsgs.exe--Added by the ZHOPA TROJAN! Note - this particular msmsgs.exe file is located in the Windows\System32 or Winnt\System32 folder, and should not be mistaken for the MSN Messenger file of the same name!
A program named Msn Update Manager (Sp2), command: MSMSGS.EXE Added by the AGOBOT-NL WORM
A program named RegSvr32, command: msmsgs.exe Added by the ZLOB.B TROJAN
A program named Scheduler, command: MSMSGS.EXE Added by the HOSTBANK-A TROJAN! Note - this particular msmsgs.exe file is located in the Windows\System32\Config or Winnt\System32\Config folder, and should not be mistaken for the MSN Messenger file of the same name!
A program named Messenger Service, command: msmsgs.exe Added by the SDBOT-ZB WORM
A program named notepad.exe, command: msmsgs.exe Added by a variant of the FAKESPY-B TROJAN! Note - this particular msmsgs.exe file is located in the Windows\System32 or Winnt\System32 folder, and should not be mistaken for the MSN Messenger file of the same name!
A program named notepad.exe, command: msmsgs.exe Added by the ZLOB-I TROJAN
A program named notepad.exe, command: msmsgs.exe Added by the ZLOB-I and ZLOB-H TROJANS
A program named csrss, command: msmsgs.exe Added by the CHODE-J WORM


attached to port TCP 1029:
A program named: 1029, command: TCP/UDP--apparently an "InCommand" program

Edited by brad656, 24 March 2006 - 08:12 PM.

  • 0

#12
Flrman1
Posted 24 March 2006 - 08:31 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
This has got to be nothing but false positives.

I don't know how you got all that or where you got it. You are going to have to show me. I see no reason you can't post here exactly how you came up with all that.

If you have all that infection, which I doubt, one of these online scans would pick it up.
  • 0

#13
brad656
Posted 25 March 2006 - 08:20 AM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I got these results from HiJackFree. I had a feeling it might be just the program. I've spoken with another person in this forum who has said that he has had problems with A-Squared, which sees perfectly good files as bad ones (conincidental, then, that all the bad files it reports on my computer are attached to 'good' files, and share the same command?)
You might be able to see them firsthand with this:
http://www.hijackfre...92-3642f42e1ce5

This is the log HiJackFree creates when I ask it to analyze my computer. If you click on 'view details' to the right of every 'yellow' program listed (you'll see the color-scheme when you click on it), it will show you the specifics of each 'infection'.
I've run a million and two other virus scans, talked to many people about this, and have a bunch of scanning software on my computer. They all say: Nothing's wrong--except for the odd TrendMicro scan that reveals a something or other every once in a while.

Should I continue with the procedure (checking with Kaspersky, remoivng programs)?
  • 0

#14
Flrman1
Posted 25 March 2006 - 11:15 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
You do not have all those infections. Those tools like Hijack Free have to be interpreted just as a Hijack This log does.

Go ahead and run the Kaspersky scan just so you can see for yourself that you don't have all those infections.
  • 0

#15
brad656
Posted 25 March 2006 - 01:41 PM

brad656

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Aha! Just as I suspected! Well, thank you very much for clearing that up! I'll be sure to run the scan, but I'm sure nothing will turn up.
Thanks again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP