BleepingComputer.com: Trojan Horse

I tried to wipe a few files with norton wipe..but the wipe was denied. Two notifications popped up, of trojan horses, one after the other. Here is my Hijack This log file from just now. Thank you very much for any help you can give, I appreciate it so much. If you could give me instructions, that would be wonderful. Thank you so much!

Logfile of HijackThis v1.99.1
Scan saved at 7:54:29 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\actsrv.exe
D:\Program Files\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\netmsg.exe
D:\Program Files\NMSAccess.exe
D:\PROGRA~1\NORTON~2\NPROTECT.EXE
D:\PROGRA~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Program Files\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
D:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\programfiles\itunes.exe\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\DOCUME~1\Joslin\LOCALS~1\Temp\_PA532\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program

Files\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\Program

Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\programfiles\itunes.exe\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"

--force_start_minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\Digital

Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to AD Black List - D:\Program Files\Avant

Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - D:\Program Files\Avant

Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - D:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - D:\Program Files\Avant

Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - D:\Program Files\Avant

Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - D:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

D:\Program Files\Norton Antivirus\navapsvc.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe
O23 - Service: NMSAccess - Unknown owner - D:\Program Files\NMSAccess.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -

D:\PROGRA~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton

Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

D:\PROGRA~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe

Hi mausoleum and welcome to Bleeping.

Can you please submit a file for analysis by CLICKING HERE.

No registration required, just follow the instructions in the sticky topic at the top of the forum.

Please submit the file C:\WINDOWS\system32\actsrv.exe

The sample will be forwarded to various anti-malware companies so they can update their definitions.

====

You may wish to save these instructions to notepad or print them out for use while in Safe Mode.

Step # 1

Re-configure Windows Explorer to show hidden files & folders:
How to Show Hidden Files & Folders

Ensure you're familiar with rebooting into Safe Mode:
How to Boot into Safe mode

Download and install the trial version of AVG Anti-Spyware.

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the Resident Shield

- Before proceeding, deactivate AVG's "Resident Shield" as it may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
- Then go to Start > Run and type services.msc
- In the Services window, scroll down to AVG Anti-Spyware Guard and double click it to bring up another window.
- Hit the [Stop] button and change the "startup type" to disabled using the drop down menu.
- Exit the services page.

Update AVG's Definitions

- AVG automatically updates the spyware definitions if you are connected to the net during installation.
- As a precaution, click the "Update" icon from the main menu.
- Then click the "Start Update" button.
- When you receive the "Update successful" prompt, close AVG.
- Note: If you have any problems with the updater, you can update AVG Manually.


Step # 2

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.

Clean your Cache and Cookies in Firefox (if you also have Firefox installed):
Go to Tools > Options. Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking "Clear All".
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Step # 3

Reboot into Safe Mode now please.

With only the HijackThis program open, scan and place a checkmark in the boxes before the following entries (if still present):-

O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe

O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe

Then click the "Fix Checked" button.


Step # 4

Use Windows Explorer to locate & delete the following files in bold:

C:\WINDOWS\system32\actsrv.exe
C:\WINDOWS\system32\netmsg.exe

*Right click the file and select delete.


Step # 5

Scanning with AVG

- Open AVG Anti-Spyware and click the "Scanner" icon from the main menu.
- Click "Complete System Scan" to start scanning.
- When scanning completes, click "Recommended action" beneath the results window and select Quarantine.
- Then click the "Apply all actions" button to quarantine everything detected.
- Then click Save report > Save report as and save the Report-Scan.txt to your desktop and restart your machine.


Step # 6

Download Dr.Web CureIt to your desktop:

• Double-click the drweb-cureit.exe file and allow it to run the express scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, select the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow > to the right and the scan will begin.
  
• At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, click the "Select all/select none" toggle button (if available) next to the files found:
  
• Then click the green cup icon right below and select Move incurable as you'll see in next image:
  
  This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).
  
• Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
  
• After the restart, post the contents of the Dr.Web.csv log file which you saved.

Step # 7

Then post the following in your next reply please:

• New HijackThis log.
  
• AVG Report-Scan.txt.
  
• Dr.Web.csv log file.
  
• Any problems you encountered.

Due to a lack of feedback, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.