Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Problem_tried To Follow "read This" Protocol


  • This topic is locked This topic is locked
28 replies to this topic

#1 rufus523

rufus523

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 27 January 2006 - 04:39 PM

Greetings gurus and thank you so much in advance for any and all help in diagnosing my problem. I have researched and read the "read this" post and followed as many of the directions as possible (hope it helps).

My Problem (chronology):

1. Received call from ISP saying that I am "in violation of federal use guidelines".

2. When I called them back, they explained that my computer is sending out huge amounts of "SNMP" requests (new term to me, he said specifically that they were not smtp requests). He described this as my computer pinging their server over and over again saying "i'm ok! i'm ok!". He said it is normal, but that my computer is sending out brazillions of these things. It shut down two of their commercial servers within hours.

3. I ran all my spybot / adaware stuff in safe mode and erased anything suspicious.

4. Connected my computer back up to the internet, everything worked fine, but I got a phone call a few hours later from my ISP saying they were going to shut me down for the same reason.

5. **I clicked on Network connections and noticed that my computer had SENT billions of packets, but only received thousands**

6. I have not connected that computer to the internet since.


This is tough because I am trying to do this while offline. I cannot risk hooking the computer back up because I work from home and need the connection. I am currently using my work computer which does not seem to have any issues.

I downloaded and unzipped HJT onto my flash memory drive, transferred it to the bad computer, and ran it while the machine was in safe mode. It generated this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:22 PM, on 1/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vpzfmc] C:\WINNT\System32\vpzfmc.exe
O4 - HKLM\..\Run: [Kqftjw] C:\WINNT\jajlk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [oF9O3tX] dpmtuq.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ZoqERjbsj] ltkrslvr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137280097073
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137279920119
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.3.1_01) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.3.1_01) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teachscape.webex.com/client/v_myweb...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Does this make sense to anyone?

Again I thank you in advance for your help. I tried to research this and do it on my own, but sometimes you just need advice from an expert / guru. I know when I am out of my league. Sorry for such a long read...

Best,

J

BC AdBot (Login to Remove)

 


#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 01 February 2006 - 04:02 PM

Hi and welcome to Bleeping. :thumbsup:

You certainly have some malware in there.

First things first though, lets get Windows updated to a safe level.

Please click here to download Service Pack 1a. Choose the 'Network Installation' link which is a standalone download (125MB) that you can transfer to a cd or memory stick.

Install the Service pack on your infected machine making a note of any error messages.

Then post a fresh log in this thread after rebooting please. :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 01 February 2006 - 04:13 PM

Thank you so much for your help / attention. I hope to do this later on tonight.

Quick Question: When I run HJT, should I run it in normal or safe mode?

Justin

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 01 February 2006 - 04:16 PM

Normal mode please. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 06 February 2006 - 09:14 AM

Ok, I hope that I did this correctly. After I did the transfer and ran the service pack, the computer automatically shutdown. When I restarted to get the log, I got a lot of popups saying that certain programs were unable to load correctly (mostly spyware stuff). Just wanted to let you know. Also, I am not sure if I mentioned it, but this computer has been known to get the "bluescreen".

Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:09 AM, on 2/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINNT\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\SNDVOL32.EXE
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vpzfmc] C:\WINNT\System32\vpzfmc.exe
O4 - HKLM\..\Run: [Kqftjw] C:\WINNT\jajlk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [oF9O3tX] dpmtuq.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ZoqERjbsj] ltkrslvr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137280097073
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137279920119
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.3.1_01) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.3.1_01) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teachscape.webex.com/client/v_myweb...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thank you again so much for your help. I see you are in Liverpool, are you a fan of Liverpool FC? The English Premiership is unbelievable.

#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 06 February 2006 - 10:53 AM

I do indeed support Liverpool. Posted Image

My username is the founder of the club, Honest John McKenna!! :thumbsup:

Your Norton should really be dealing with these infections if it's up to date.

Can you still download updated definitions or has your license expired?



You may wish to save these instructions to notepad for use while in Safe Mode.

Step 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download ATF Cleaner to your desktop.


Step 2

Reboot into Safe Mode please.

Run HijackThis again and checkmark the boxes before the following:-

O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)

O2 - BHO: (no name) - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - (no file)

O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe

O4 - HKLM\..\Run: [vpzfmc] C:\WINNT\System32\vpzfmc.exe

O4 - HKLM\..\Run: [Kqftjw] C:\WINNT\jajlk.exe

O4 - HKLM\..\Run: [oF9O3tX] dpmtuq.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ZoqERjbsj] ltkrslvr.exe

O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step 3

Use Windows Explorer to locate & delete the following files in bold:

C:\WINNT\av.exe
C:\WINNT\jajlk.exe
C:\WINNT\pgtaff.exe
C:\WINNT\System32\vpzfmc.exe
C:\WINNT\System32\ltkrslvr.exe<--check in C:\WINNT if not in System32
C:\WINNT\System32\dpmtuq.exe<--check in C:\WINNT if not in System32


Step 4

Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Step 5

Reboot, connect to the internet and run either of the following online virus scans with Internet Explorer (saving the scan report when complete):

Kaspersky On-line Scanner
  • Accept the Active X object and download the latest definitions.
  • When the scanner is ready, click Scan Settings.
  • Select the Extended anti-virus database.
  • Select Scan Archives & Scan Mail Bases and then ok.
  • Click My Computer to run a full system scan.
  • When complete, choose Save as Text and save the log to your desktop.
Panda ActiveScan
  • Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.
  • Enter your details in the required fields.
  • Then click the big Scan Now button.
  • Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
  • When the download is complete, click on Local Disks to start the scan.
  • Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Step 6

Then post the following:
  • New HijackThis log.
  • Online scan results.
  • Any problems you encountered.
  • Info on your Norton license.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 06 February 2006 - 12:09 PM

Hello:

Yes my Norton expired as all of this was going on. Can I still use the memory stick to download and transfer these programs (panda scan etc.)? Once I am safely back online I will pay the $$ and update Norton.

I really can't hook that computer back up to the internet yet if it is going to be sending all those bundles of information or my ISP may cut me off again. Let me know what you think about the memory stick idea and I will get to this list this week. And thanks for the quick reply!

J

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 06 February 2006 - 05:31 PM

I was really hoping once you'd deleted those files that the problem would be remedied.

Unfortunately, the online scans are just that but we can use a standalone scanner for our purposes if you really don't want to go online until you know you're clean.


Please download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.

I need you to run MWav by double-clicking on mwav.exe.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C:\ (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan & Clean button. This can typically take hours to complete depending on the size of your hard drive.

**NOTE**Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list and a fresh HijackThis log please.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#9 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 06 February 2006 - 07:00 PM

Hello:

I am currently doing the "MWAV" scan. It did not give me the option to clean, just to scan...... Quick questions:

1. In line item 3 of your third post, you have asked me to manually remove a few items. I could not find these, not even with a search. Is it possible that these files were removed successfully by HJT?

2. If I backed up my system on an external hard drive, should I replace data once the machine is clean?

That might be a completely seperate question.....

I will write back in a bit.

Justin

#10 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 07 February 2006 - 09:09 AM

1. In line item 3 of your third post, you have asked me to manually remove a few items. I could not find these, not even with a search. Is it possible that these files were removed successfully by HJT?

HijackThis doesn't remove files, only registry paths. It's possible they were orphaned entries and your existing security programs removed them. The next HijackThis should confirm either way.

2. If I backed up my system on an external hard drive, should I replace data once the machine is clean?

Most malware doesn't do any harm to your 'personal data' but backing it up is always a good idea in my book.

You shouldn't have to replace the data though. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#11 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 07 February 2006 - 09:39 AM

Hello:

Here is my ATF virus log (56 items):

Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "enhancemysearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "tvmedia Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "songspy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor.topicks.a Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "adtomi Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\WINNT\System32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\System32\msshed32.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\08E06F24.zip infected by "Email-Worm.Win32.Mydoom.am" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12887DBD tagged as "not-a-virus:AdWare.Win32.Apropos.b". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C8A738B tagged as "not-a-virus:AdWare.Win32.Adstart.c". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B973366 infected by "Backdoor.Win32.Agent.bg" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\43E64C59 infected by "Backdoor.Win32.Agent.co" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\51C14848 infected by "Trojan-Dropper.Win32.Small.mr" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\52F5599A infected by "Trojan-Dropper.Win32.Small.ht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C031686 tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086948.exe tagged as "not-a-virus:AdWare.Win32.WebRebates.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086949.exe tagged as "not-a-virus:AdWare.Win32.BetterInternet.aw". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086951.exe tagged as "not-a-virus:AdWare.Win32.MDH.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086952.exe infected by "Trojan-Dropper.Win32.Delf.z" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086953.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086954.ax tagged as "not-a-virus:AdWare.Win32.BargainBuddy.l". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086955.vxd tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP721\A0098859.ex_ infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\Downloaded Program Files\ieatgpc.dll tagged as "not-a-virus:AdWare.Win32.WebEx". Action Taken: No Action Taken.
File C:\WINNT\ServicePackFiles\i386\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\msshed32.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\08E06F24.zip infected by "Email-Worm.Win32.Mydoom.am" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12887DBD tagged as "not-a-virus:AdWare.Win32.Apropos.b". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C8A738B tagged as "not-a-virus:AdWare.Win32.Adstart.c". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B973366 infected by "Backdoor.Win32.Agent.bg" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\43E64C59 infected by "Backdoor.Win32.Agent.co" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\51C14848 infected by "Trojan-Dropper.Win32.Small.mr" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\52F5599A infected by "Trojan-Dropper.Win32.Small.ht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C031686 tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086948.exe tagged as "not-a-virus:AdWare.Win32.WebRebates.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086949.exe tagged as "not-a-virus:AdWare.Win32.BetterInternet.aw". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086951.exe tagged as "not-a-virus:AdWare.Win32.MDH.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086952.exe infected by "Trojan-Dropper.Win32.Delf.z" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086953.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086954.ax tagged as "not-a-virus:AdWare.Win32.BargainBuddy.l". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086955.vxd tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP721\A0098859.ex_ infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\Downloaded Program Files\ieatgpc.dll tagged as "not-a-virus:AdWare.Win32.WebEx". Action Taken: No Action Taken.
File C:\WINNT\ServicePackFiles\i386\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\msshed32.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.



And here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:25:53 AM, on 2/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\HijackThis\HijackThis.exe
C:\WINNT\PCHealth\HelpCtr\Binaries\HelpSvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137280097073
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137279920119
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.3.1_01) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.3.1_01) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teachscape.webex.com/client/v_myweb...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks again for your help,

J

#12 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 07 February 2006 - 10:46 AM

A few bits and bobs still knocking about in there.

Step 1

Please disable all the real-time protections you currently have enabled before fixing anything else as it would appear they may be preventing removal of some of the entries. Follow the instructions here for disabling Spybot's and SpySweeper's protection applets.

Then download Killbox to your desktop.


Step 2

Reboot into Safe Mode now please.

Run HijackThis again and checkmark the boxes before the following:-

O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe

O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe


Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step 3

Double-click killbox.exe

Select the option "Delete on reboot" and then click the All Files button.

Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:

C:\WINNT\System32\logonui.exe
C:\WINNT\System32\msshed32.exe
C:\WINNT\Downloaded Program Files\ieatgpc.dll
C:\WINNT\Meruoq.exe
C:\WINNT\pgtaff.exe


Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'.

Then press the red button with a white X in it.

Killbox will tell you that all listed files will be deleted on next reboot, click YES.

When it asks if you would like to Reboot now, click YES.

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Step 4

Then either run MWav again or hook up to the internet and run the Panda scan for a second opinion.

Then give me a new HijackThis log (generated in normal mode please) and the virus scan results again. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#13 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 07 February 2006 - 02:57 PM

I must not be doing this right. It keeps finding the same stuff. I disabled everything that I could per your directions (spybot / spysweeper etc). The only thing that I couldn't change was AdAware, so I just uninstalled it.

I will send you the HJT and MWAV Virus Log when MWAV is finished running.

Do you think I should buy the regular version of "MicroWorld Anti Virus & Spyware Toolkit Utility"? It keeps finding stuff, like "Trojan.Win32.Agent.On" and some of the files I erased on KillBox are appearing on the MWAV Virus Log saying "no action taken".


After I ran HJT (after following the directions of you last post), I plugged in the computer to the internet (same cable that I am using on this computer). IMMEDIATELY after I plugged it in my computer had send 17,999,999,999 packets and received nothing.

Another quirky thing is that I used to get an icon in the bottom right hand portion of the screen that looked like two computers blinking, that meant that i was connected online. I do not get that anymore when I plug in the machine.

Do you think I should buy the regular version of "MicroWorld Anti Virus & Spyware Toolkit Utility"? It keeps finding stuff, like "Trojan.Win32.Agent.On", but can't erase it because I have the trial version....

Sorry this is such a headache.....

#14 rufus523

rufus523
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Staring at the screen.....
  • Local time:08:39 AM

Posted 07 February 2006 - 07:55 PM

:thumbsup:

I am completely infested. Should I throw in the towl??


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:36:24 PM, on 2/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://production.teachscape.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137280097073
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137279920119
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.3.1_01) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.3.1_01) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teachscape.webex.com/client/v_myweb...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




MWAV: (Which somehow expanded, proving I am worthless)

Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "enhancemysearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkreplacer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bargainbuddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "enhancemysearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "tvmedia Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "songspy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor.topicks.a Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\WINNT\System32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\!KillBox\ieatgpc.dll tagged as "not-a-virus:AdWare.Win32.WebEx". Action Taken: No Action Taken.
File C:\!KillBox\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\!KillBox\msshed32.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\08E06F24.zip infected by "Email-Worm.Win32.Mydoom.am" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12887DBD tagged as "not-a-virus:AdWare.Win32.Apropos.b". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C8A738B tagged as "not-a-virus:AdWare.Win32.Adstart.c". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B973366 infected by "Backdoor.Win32.Agent.bg" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\43E64C59 infected by "Backdoor.Win32.Agent.co" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\51C14848 infected by "Trojan-Dropper.Win32.Small.mr" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\52F5599A infected by "Trojan-Dropper.Win32.Small.ht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C031686 tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-3057704224-1085806099-568186159-1003\Dc4.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086948.exe tagged as "not-a-virus:AdWare.Win32.WebRebates.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086949.exe tagged as "not-a-virus:AdWare.Win32.BetterInternet.aw". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086951.exe tagged as "not-a-virus:AdWare.Win32.MDH.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086952.exe infected by "Trojan-Dropper.Win32.Delf.z" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086953.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086954.ax tagged as "not-a-virus:AdWare.Win32.BargainBuddy.l". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086955.vxd tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP721\A0098859.ex_ infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100345.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100357.dll tagged as "not-a-virus:AdWare.Win32.WebEx". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100358.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100359.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100362.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100363.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100364.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100365.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\ServicePackFiles\i386\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\dllcache\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\08E06F24.zip infected by "Email-Worm.Win32.Mydoom.am" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12887DBD tagged as "not-a-virus:AdWare.Win32.Apropos.b". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C8A738B tagged as "not-a-virus:AdWare.Win32.Adstart.c". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B973366 infected by "Backdoor.Win32.Agent.bg" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\43E64C59 infected by "Backdoor.Win32.Agent.co" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\51C14848 infected by "Trojan-Dropper.Win32.Small.mr" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\52F5599A infected by "Trojan-Dropper.Win32.Small.ht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C031686 tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-3057704224-1085806099-568186159-1003\Dc4.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086948.exe tagged as "not-a-virus:AdWare.Win32.WebRebates.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086949.exe tagged as "not-a-virus:AdWare.Win32.BetterInternet.aw". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086951.exe tagged as "not-a-virus:AdWare.Win32.MDH.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086952.exe infected by "Trojan-Dropper.Win32.Delf.z" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086953.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086954.ax tagged as "not-a-virus:AdWare.Win32.BargainBuddy.l". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086955.vxd tagged as "not-a-virus:AdWare.Win32.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP721\A0098859.ex_ infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100345.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100357.dll tagged as "not-a-virus:AdWare.Win32.WebEx". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100358.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100359.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100362.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100363.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100364.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP722\A0100365.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\ServicePackFiles\i386\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\dllcache\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.




If I am beyond help then just tell me my options, I will donate to you either way for your help.

J

#15 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:01:39 PM

Posted 08 February 2006 - 06:27 AM

On the contrary rufus, you're actually clean in my opinion. Let me explain.

All the items in the scan report that don't have a specific location for example:

Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "enhancemysearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkreplacer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bargainbuddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.

These are merely shrapnel from previous infections. They pose no danger whatsoever. :thumbsup:


Items like these are quarantined by Norton so pose no threat:

File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\08E06F24.zip infected by "Email-Worm.Win32.Mydoom.am" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12887DBD tagged as "not-a-virus:AdWare.Win32.Apropos.b". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C8A738B tagged as "not-a-virus:AdWare.Win32.Adstart.c". Action Taken: No Action Taken.


Items starting with C:\System Volume Information\_restore such as these below are infected System Restore points which pose no threat to your machine unless you roll back to a previous restore point. These can be flushed which we'll come to shortly.

File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086948.exe tagged as "not-a-virus:AdWare.Win32.WebRebates.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP701\A0086949.exe tagged as "not-a-virus:AdWare.Win32.BetterInternet.aw". Action Taken: No Action Taken.


Items starting with File C:\!KillBox\ like below are backups of files deleted by Killbox. You can delete the C:\Killbox! folder now.

File C:\!KillBox\ieatgpc.dll tagged as "not-a-virus:AdWare.Win32.WebEx". Action Taken: No Action Taken.
File C:\!KillBox\msshed32.exe infected by "Trojan-Downloader.Win32.Delf.zw" Virus! Action Taken:


The only detections which I might be of concern are these:

File C:\WINNT\ServicePackFiles\i386\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\dllcache\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.
File C:\WINNT\system32\logonui.exe infected by "Trojan.Win32.Agent.on" Virus! Action Taken: No Action Taken.

However, there is a legitimate Windows file of the same name which appears in the same 3 locations. After further investigation though I think it may be a false positive. Another anti-virus vendor (F-Secure) noted this on their website just a few days ago.

There's always the possibility that the legit file has been 'injected' by the trojan but I find it highly unlikely the backups of the file in the dllcache and the ServicePacks folder would also be infected. There's only one way of finding that out though and that's to get a second opinion. To do this you're either going to have to either update Norton with the latest definitions or run an online file scanner such as eTrust's Web Scanner. Once there you can expand on the C: drive and locate the logonui.exe file in your System32 folder and have it scanned individually or run a full system scan. Of course there's nothing to say that eTrust won't find the same false positive but most of the good AV vendors should have this FP removed from their definitions by now really.

Let me know how you get on. :flowers:

Oh and empty your recycle bin please!!

Edited by John_McKenna, 08 February 2006 - 06:28 AM.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users