Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spytrooper - I'm going crazy [RESOLVED]

Started by MikeyM , Dec 10 2005 10:23 AM

  • This topic is locked This topic is locked

#1
MikeyM
Posted 10 December 2005 - 10:23 AM

MikeyM

    New Member

  • Member
  • Pip
  • 5 posts
From the looks of the other forum discussions, I think you are familiar with the Spytrooper problem I am having. I was about to follow the instructions posted to another thread (Bobby-Jo), but received instructions to submit my own log files. I ran HijackThis scan and the log follows. Can you please help me with this, I am going nuts.

Logfile of HijackThis v1.99.1
Scan saved at 11:29:12 AM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpyTrooper\SpyTrooper.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.motor-search.info/
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp9045.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [addoj.exe] C:\WINDOWS\system32\addoj.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyTrooper] C:\Program Files\SpyTrooper\SpyTrooper.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hcqfjuur.exe
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
loophole
Posted 10 December 2005 - 03:38 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello and welcome to Geeks to Go:tazz:

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Hijack fixes

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.motor-search.info/
O4 - HKCU\..\Run: [SpyTrooper] C:\Program Files\SpyTrooper\SpyTrooper.exe
O4 - HKLM\..\Run: [addoj.exe] C:\WINDOWS\system32\addoj.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hcqfjuur.exe

Now close all windows other than HiJackThis, then click Fix Checked


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Uninstall

Please remove these entries from Add/Remove Programs in the Control Panel(if present):
SpyTrooper

Folder deletions

Please delete the folders in red using Windows Explorer(if present):
C:\Program Files\SpyTrooper

File deletions

Please delete the files in red using Windows Explorer(if present):
C:\WINDOWS\system32\addoj.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with a new Hijack log in your next reply.



Reboot and post the logs requested

Thanks :)

Edited by loophole, 10 December 2005 - 03:38 PM.

  • 0

#3
MikeyM
Posted 11 December 2005 - 08:25 PM

MikeyM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Loophole,

OK, I've followed the instructions above and all went well except I could not do the following as the file was not present....

"File deletions
Please delete the files in red using Windows Explorer(if present):
C:\WINDOWS\system32\addoj.exe"

Below is an updated Hijack log followed by the smitfiles.txt log as requested.

Logfile of HijackThis v1.99.1
Scan saved at 9:39:41 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\hppapml0.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


AND NOW THE SMITFILES.TXT LOG


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 12/11/2005
The current time is: 19:44:00.10

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 728 'explorer.exe'
Killing PID 728 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:
  • 0

#4
loophole
Posted 11 December 2005 - 08:29 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Thats fine about the file some other scanner probably got it :tazz:

Just need to do the final cleanup

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

  • 0

#5
MikeyM
Posted 12 December 2005 - 11:47 AM

MikeyM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I did as requested. Below are the reports from the Panda Active Scan followed by a new Hijack log......



Incident Status Location

Virus:Trj/Downloader.AES Disinfected Operating system
Adware:adware/navipromo Not desinfected C:\WINDOWS\sdkqc32.exe
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\ER6RU5YN\d[1].htm
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\ER6RU5YN\toolbar[2].htm
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\CA0LYDXY.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\CAKTUBWP.HTM
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\d[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\d[2].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\d[3].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\d[4].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\d[5].htm
Virus:VBS/Psyme.CK Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\FEG7Z9S9\i445[1].js
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\G1ENSHIV\d[1].htm
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\0006[1].cab[ISTactivex.dll]
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\CA2FCPUD.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\CA8XABK5.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\CAWHAPL2.HTM
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\d[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\d[2].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\d[4].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\d[5].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\d[6].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\d[7].htm
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\sex_viewer_install[1].htm
Dialer:Dialer.Gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\K1Q7SPEV\Xadult1[1].exe
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\KZ77B7QC\CA4TOX47.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\KZ77B7QC\CA67GDIB.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\KZ77B7QC\CAIZK1K9.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\KZ77B7QC\CAU7WV5Q.HTM
Possible Virus. Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\KZ77B7QC\dexCA542[1].exe
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[10].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[11].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[12].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[13].chm[runit.html]
Virus:Exploit/Codebase.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[14].chm[l.html]
Virus:Trj/Downloader.CP Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[14].chm[e.exe]
Virus:Exploit/Codebase.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[15].chm[l.html]
Virus:Trj/Downloader.CP Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[15].chm[e.exe]
Virus:Exploit/Codebase.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[16].chm[l.html]
Virus:Trj/Downloader.CP Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[16].chm[e.exe]
Virus:Exploit/Codebase.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[17].chm[l.html]
Virus:Trj/Downloader.CP Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[17].chm[e.exe]
Virus:Exploit/Codebase.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[18].chm[l.html]
Virus:Trj/Downloader.CP Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[18].chm[e.exe]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[1].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[2].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[3].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[4].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[5].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[6].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[7].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[8].chm[runit.html]
Virus:JS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\chm[9].chm[runit.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\COUNTER[1].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\COUNTER[2].CHM[COUNTER.htm]
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\gt[1].htm
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[12].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[13].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[18].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[19].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[1].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[20].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[25].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[28].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[29].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[32].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[33].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[38].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[39].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[4].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[5].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[8].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new2[9].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new4[1].chm[new2.html]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\new4[2].chm[new2.html]
Virus:Trj/Sobit.A Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\tl7000[1].dll
Dialer:Dialer.Gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\L7F7LLWE\Xadult1[1].exe
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\0006[1].cab[ISTactivex.dll]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\buka[2].chm[z.htm]
Adware:Adware/Startpage.CED Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\buka[2].chm[x.exe]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\buka[3].chm[z.htm]
Adware:Adware/Startpage.CED Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\buka[3].chm[x.exe]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\buka[4].chm[z.htm]
Adware:Adware/Startpage.CED Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\buka[4].chm[x.exe]
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\CA8HAR0D.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\CAEN4RR4.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\CAJACJVD.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\CAK1I5FW.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\CARUHSXB.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\CAS10P4J.HTM
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\COUNTER[1].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\COUNTER[2].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\COUNTER[3].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\new2[1].chm[new2.html]
Dialer:Dialer.Gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\Xadult1[1].exe
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\CAL8V27R.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\CAWDMVO1.HTM
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\CAYVSTQR.HTM
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[10].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[11].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[1].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[2].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[3].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[4].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[5].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[6].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[7].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[8].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\COUNTER[9].CHM[COUNTER.htm]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[10].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[10].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[11].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[11].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[12].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[12].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[13].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[13].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[14].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[14].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[15].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[15].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[16].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[16].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[17].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[17].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[1].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[1].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[2].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[2].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[3].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[3].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[4].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[4].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[5].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[5].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[6].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[6].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[7].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[7].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[8].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[8].chm[exploit.exe]
Virus:VBS/Psyme.gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[9].chm[exploit.htm]
Virus:Trj/Downloader.EKW Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OFDJYQRX\exploit[9].chm[exploit.exe]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\OXWP6ZC5\COUNTER[1].CHM[COUNTER.htm]
Virus:VBS/Psyme.C Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\SH0N07OR\new2[1].chm[new2.html]
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\UNANI9MF\i445[1].js
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\UX9EJAPC\i445[1].js
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\UX9EJAPC\i445[2].js
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\V6ZIRRA4\checker[1].htm
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\V6ZIRRA4\checker[2].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\V6ZIRRA4\d[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\V6ZIRRA4\d[2].htm
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\V6ZIRRA4\i445[1].js
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\Y5WBM925\0006[1].cab[ISTactivex.dll]
Dialer:Dialer.Gen Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\Y5WBM925\058623ca[1].exe
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\YLP6JIHO\0006[2].cab[ISTactivex.dll]
Virus:VBS/Psyme.gen Renamed C:\Documents and Settings\Micheal M\Local Settings\Temporary Internet Files\Content.IE5\YLP6JIHO\i445[1].js
Adware:Adware/SearchAid Not desinfected C:\Program Files\Internet Explorer\bdqqfjdq.exe
Adware:Adware/SearchAid Not desinfected C:\Program Files\Internet Explorer\trxoervc.exe
Virus:Trj/Cisp.A Disinfected C:\WINDOWS\ftp.txt
Virus:Trj/Downloader.AES Disinfected C:\WINDOWS\system32\c_10230.dll

AND NOW THE HIJACK REPORT



Logfile of HijackThis v1.99.1
Scan saved at 1:01:58 PM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [Panda_cleaner_134762] C:\WINDOWS\system32\ActiveScan\pavdr.exe 134762
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - Back to top -->

#6
loophole
Posted 12 December 2005 - 03:10 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. If asked to reboot select NO

Pocket Killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\sdkqc32.exe
    C:\Program Files\Internet Explorer\bdqqfjdq.exe
    C:\Program Files\Internet Explorer\trxoervc.exe
    C:\WINDOWS\system32\c_10230.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot

Post a new hijack log and tell me how your system is running now.

Thanks :tazz:
  • 0

#7
MikeyM
Posted 13 December 2005 - 02:55 PM

MikeyM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Alright,

I did as requested.

When I ran the Killbox, I did NOT receive any prompts to the tune of "Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!)."
--> hope that is a good thing.

As far as my system goes, a beleive everything is performing well but I have not really had time to test things out.

Below is my HijackThis log performed after your instructions....

Logfile of HijackThis v1.99.1
Scan saved at 4:09:49 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {835A7EEF-7B08-4698-84D0-F4BA22548ABC} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {45DBB38A-88EE-45DE-BB16-E06C2E5A9174} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
loophole
Posted 13 December 2005 - 03:08 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
You should be fine. I'll leave this thread open for a couple days just incase :)

Congratulations

your system is clean :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#9
MikeyM
Posted 13 December 2005 - 07:54 PM

MikeyM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you so much for your help - you can imagine just how pleased I am that I no longer have this problem.

I really appreciate all your help and thank you for making all of your instructions so easy to follow that even a technological incompetent like myself could manage them.

Thanks again. :tazz:

Regards,

MikeyM
  • 0

#10
loophole
Posted 13 December 2005 - 07:59 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Your welcome :tazz:
  • 0

#11
loophole
Posted 23 December 2005 - 03:20 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP