Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HJT Log- blackcat

  • This topic is locked This topic is locked
3 replies to this topic

#1 blackcat


  • Members
  • 5 posts
  • Local time:12:09 AM

Posted 23 August 2005 - 05:48 AM

Hi BC team,
Recently had some spyware detected on my computer and since deleteing it with various programs spybot and ad-aware, everytime i start up my computer multiple applications are unable to start because of a C:\WINDOWS\System32\ms0920b.dll file is not found. It suggests re installing the apllication but as i see from your forum it seems a bit more serious than that.
Ive performed a scan using hijackthis and attached the logfile.
Hope you can help.

Logfile of HijackThis v1.99.1
Scan saved at 8:33:21 PM, on 23/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CoolInfoXPNetClient] C:\PROGRA~1\COOLIN~1\coolinfo.exe /C
O4 - HKLM\..\Run: [CoolInfoXPMon] C:\PROGRA~1\COOLIN~1\cicmon.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124784306515
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)


#2 JG427


  • Members
  • 241 posts
  • Local time:12:09 AM

Posted 24 August 2005 - 11:12 PM

Hi, blackcat.

It sounds like you had the CWS.Holax virus. It's been hooked to the applications that are still trying to start it when they start. The following scan may be able to repair the applications. If that fails, we can use a dummy file to replace the bad .dll where the programs will start normally. Uninstalling and reinstalling the programs should also work.

Please run the Computer Associates online scan here:
Follow the prompts to scan your hard drive. When the scan is finished it will produce a report at the bottom of the screen. Please copy the entire text of this report and post it in your next reply.
Posted Image

#3 blackcat

  • Topic Starter

  • Members
  • 5 posts
  • Local time:12:09 AM

Posted 25 August 2005 - 06:29 AM

Absolutely brilliant, thanks for the advide.
Ran the online scan and came up with the Holax A virus as you had thought. Managed to repair all the files and all is well again with my computer.
Just wondering what do you think for internet security, ive got zonealarm firewall, spybot, ad-aware and AVG virus scanner (all free ware). Is it worth buying an internet security program or would you recommend adding another program to the above?
Thanks again for the advice, :thumbsup:

Apoint.exe Win32.Holax.A cured C:\Program Files\Apoint2K\
atiptaxx.exe Win32.Holax.A cured C:\Program Files\ATI Technologies\ATI Control Panel\
RtlWake.exe Win32.Holax.A cured C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\
BrMfcWnd.exe Win32.Holax.A cured C:\Program Files\Brother\Brmfcmon\
realsched.exe Win32.Holax.A cured C:\Program Files\Common Files\Real\Update_OB\
Hotsync.exe Win32.Holax.A cured C:\Program Files\palmOne\
pptd40nt.exe Win32.Holax.A cured C:\Program Files\ScanSoft\PaperPort\
CeEKey.exe Win32.Holax.A cured C:\Program Files\TOSHIBA\E-KEY\
CePMTray.exe Win32.Holax.A cured C:\Program Files\TOSHIBA\Power Management\
TOSCDSPD.exe Win32.Holax.A cured C:\Program Files\TOSHIBA\TOSCDSPD\
PadExe.exe Win32.Holax.A cured C:\Program Files\TOSHIBA\Touch and Launch\
TPTray.exe Win32.Holax.A cured C:\Program Files\TOSHIBA\TouchPad\
WZQKPICK.EXE Win32.Holax.A cured C:\Program Files\WinZip\
agrsmmsg.exe Win32.Holax.A cured C:\WINDOWS\
RAMASST.exe Win32.Holax.A cured C:\WINDOWS\system32\

#4 JG427


  • Members
  • 241 posts
  • Local time:12:09 AM

Posted 25 August 2005 - 12:06 PM

Your welcome, glad we could help.

Just wondering what do you think for internet security, ive got zonealarm firewall, spybot, ad-aware and AVG virus scanner (all free ware). Is it worth buying an internet security program or would you recommend adding another program to the above?

Your in great shape so far, your running the same programs as me! :thumbsup:
I would not buy any protection programs. The online ones may be rogue (see this list) or just don't work any better than the free ones.

I must say that the first step in protecting your system is turn on windows automatic updates and allow your system to install all critical updates including service pack 2.

I do recommend the addition of the following free programs. They protect in a different manner than a firewall or malware scanner.
SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.

Blocking Unwanted Parasites with a Hosts File

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users