Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojans Secup, Perfcoo, Killav; Slow Start Up; Internet Call Waiting Issues

  • Please log in to reply
1 reply to this topic

#1 sg_sheeley


  • Members
  • 2 posts
  • Local time:04:40 PM

Posted 14 November 2007 - 09:59 AM

ETA: I think I"m on my way to fixing the ICW issue, I found this:

FilePath : C:\WINNT\
ProcessID : 1984
ThreadCreationTime : 10-29-2007 1:06:33 PM
BasePriority : Normal
FileVersion : 3.4.22 08/06/2002 14:26:16
ProductVersion : 3.4.22 08/06/2002 14:26:16
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright GTW 1998-2000
OriginalFilename : smdmstat.exe

I just think that I need to get it to boot on startup. Any ideas?

About 3 weeks ago, my Norton Anti-Virus found 2 trojans, and I let Norton remove them. A few days later, I had the same virus again. I had someone come over and look at my computer. He had me download several programs ( CCleaner, SmitFraudFix, Combo Fix, StartUp List, PCDecrapifier) and I downloaded AdAware and Spybot Search and Destroy from recommendations from Kim Komando's website. Now, whenever I restart the computer, it takes 2-3 minutes to boot, and my Norton programs don't start up automatically. My internet call waiting is no longer working (GTW V.92 voicemodem) either. Gateway tech support has recommended formatting the hard drive, and says that the ICW is a problem with my ISP. Here's the Hijack This Log:

StartupList report, 11/14/2007, 8:38:09 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options

Running processes:

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\Messenger\msmsgs.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,


Autorun entries from Registry:

NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


Autorun entries from Registry:

ctfmon.exe = C:\WINNT\system32\ctfmon.exe
Norton SystemWorks = "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz


Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - Matt.job
Norton AntiVirus - Run Norton QuickScan - Matt.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
WebReg 20030525215351.job
WebReg 20030611115636.job


Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[LSSupCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\LSSupCtl.dll
CODEBASE = http://www.symantec.com/techsupp/asa/LSSupCtl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\CONFLICT.1\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

[Symantec SmartIssue]
InProcServer32 = C:\WINNT\Downloaded Program Files\tgctlsi.dll
CODEBASE = https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab

[Symantec Script Runner Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\tgctlsr.dll
CODEBASE = https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab

InProcServer32 = C:\WINNT\Downloaded Program Files\TechTools.ocx
CODEBASE = hcp://system/TechTools.CAB

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[Symantec Download Manager]
InProcServer32 = C:\WINNT\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab

InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/Template...nloads/outc.cab


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

End of report, 7,723 bytes
Report generated in 0.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Edited by sg_sheeley, 14 November 2007 - 02:01 PM.

BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,637 posts
  • Gender:Male
  • Local time:05:40 PM

Posted 25 November 2007 - 06:52 PM

Hi sg_sheeley,

Our apologies for the delay. If you still require help, please post a new fresh log so I can see if anything has changed.

If you have not done so already, please do the initial cleanup steps in the following instructions before posting your new log: Preparation Guide For Use Before Posting A Hijackthis Log

Then instead of just posting an HijackThis log, please only do the following that will include one:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
BTW, you posted a Startup List instead of a standard HijackThis log. As mentioned above, the DSS logs wil include a standard HJT log. When you post back, please update me as to where you stand now--has anything changed and what problems are you experiencing.

The thing about people

is they change

when they walk away.--Mipso

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users