[Help needed with log] -
Help needed with log
Discuss Help needed with log
Posted by: kcnative
I followed the initial instructions (adaware, spybot, bitdefender and trendmicro scans, etc), and it helped a LOT...but I've still got some stragglers. Was wondering if anyone could help me take this baby out for good! Thanks in advance...you guys are warriors in the fight against what I consider true EVIL!!!
-----------
Adaware scan results (could not be removed):
C:\WINNT\Ceres.dll
C:\WINNT\System32\msxml3.dll
C:\WINNT\System32\msxml3r.dll
---------------
Spybot scan results: 2 unidentified files were unfixable
::::::::SAFE MODE SCANS::::::::
Norton AntiVirus Corporate Edition results: No viruses found
Adaware scan: No files found (30) were unfixable
Spybot scan: Nothing found!
:::::REBOOT::::::::
After restart, still getting two popups...one from searchmiracle.com and another from ads.(something)click.com.
----------
Bitdefender scan results: 19 infected, 16 unfixable
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\cln2F.tmp: infected with Trojan.Downloader.Dyfuca.DX
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\cln2F.tmp: disinfection failed
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\installer_MARKETING18.exe: infected with Trojan.Downloader.Adload.A
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\installer_MARKETING18.exe: disinfection failed
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\9OFZV54C\protector[1].exe: infected with BehavesLike:Win32.ExplorerHijack
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\9OFZV54C\protector[1].exe: disinfection failed
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLYV8XMR\protector_update[1].exe: infected with BehavesLike:Win32.ExplorerHijack
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLYV8XMR\protector_update[1].exe: disinfection failed
C:\Program Files\FwBarTemp\searchbar.exe: infected with Trojan.Downloader.VB.EU
C:\Program Files\FwBarTemp\searchbar.exe: disinfection failed
C:\Program Files\sdf.exe: infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\sdf.exe: disinfection failed
C:\Program Files\Windows Media Player\wmplayer.exe: suspect BehavesLike:Trojan.Downloader
C:\Program Files\Windows Media Player\wmplayer.exe: disinfection failed
C:\WINNT\farmmext.exe: infected with Trojan.Downloader.Stubby.A
C:\WINNT\farmmext.exe: disinfection failed
C:\WINNT\protector.exe: infected with BehavesLike:Win32.ExplorerHijack
C:\WINNT\protector.exe: disinfection failed
C:\WINNT\system32\dist001.exe: infected with Dropped:Trojan.Downloader.VB.EU
C:\WINNT\system32\dist001.exe: disinfection failed
C:\WINNT\system32\exp.exe: infected with Trojan.Downloader.Small.ABD
C:\WINNT\system32\exp.exe: disinfection failed
C:\WINNT\system32\installer_MARKETING18.exe: infected with Dropped:Trojan.Downloader.Small.ABD
C:\WINNT\system32\installer_MARKETING18.exe: disinfection failed
C:\WINNT\system32\TFTP256: infected with Trojan.Pakes.C
C:\WINNT\system32\TFTP256: disinfection failed
C:\WINNT\system32\wintask.exe: infected with Trojan.Downloader.Small.ABD
C:\WINNT\system32\wintask.exe: disinfection failed
C:\WINNT\system32\wrapperouter.exe: infected with Trojan.Dropper.Agent.HL
C:\WINNT\system32\wrapperouter.exe: disinfection failed
--------------
Trend Micro Scan - 3 files found, unfixable...though they deleted just fine:
C:\Program Files\SDF.exe
C:\WINNT\System32\Main.exe
C:\WINNT\Farmmext.exe
---------------
HIJACK THIS LOG!!!!!!!!!!!!
Logfile of HijackThis v1.99.1
Scan saved at 9:36:31 AM, on 5/5/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DIGStream\digstream.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Program Files\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.earthlink.net/partner/more/msie/button/search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.highstream.net/members/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.highstream.net/members/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.highstream.net/members/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zzzHPSETUP] G:\Setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcqqz] c:\winnt\system32\lxcqqz.exe
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitebdw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZovsRTJ6Q] fon40.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: [url]http://www.my.newhorizons.com[/url]
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - [url]http://central.clevercontent.com/02030035/cccabs/CleverContent.cab[/url]
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - [url]http://i.a.cnn.net/cnn/resources/cult3d/cult.cab[/url]
O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) - [url]http://radioshow.rcsworks.com/rsinstall/RSRadioTuner.Cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - [url]http://rd1.surfernetwork.com/surferplugin.ocx[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://207.188.7.150/10be703329eebb0b5a17/netzip/RdxIE601.cab[/url]
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - [url]http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx[/url]
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - [url]http://autos.msn.com/components/ocx/survid/MSSurVid.cab[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/components/ocx/exterior/Outside.cab[/url]
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - [url]http://download.abacast.com/download/files/abasetup140f1.cab[/url]
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
Thanks again, you guys are the best!
Posted by: Lobos
If you still need help please post another log
Posted by: kcnative
Thanks for the reply! Here is a current log:
Logfile of HijackThis v1.99.1
Scan saved at 8:51:22 AM, on 5/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DIGStream\digstream.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.earthlink.net/partner/more/msie/button/search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://start.earthlink.net/AL/Search[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.highstream.net/members/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.highstream.net/members/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.highstream.net/members/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://start.earthlink.net/AL/Search[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcqqz] c:\winnt\system32\lxcqqz.exe
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZovsRTJ6Q] fon40.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: [url]http://www.my.newhorizons.com[/url]
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - [url]http://central.clevercontent.com/02030035/cccabs/CleverContent.cab[/url]
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - [url]http://i.a.cnn.net/cnn/resources/cult3d/cult.cab[/url]
O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) - [url]http://radioshow.rcsworks.com/rsinstall/RSRadioTuner.Cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - [url]http://rd1.surfernetwork.com/surferplugin.ocx[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://207.188.7.150/10be703329eebb0b5a17/netzip/RdxIE601.cab[/url]
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - [url]http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx[/url]
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - [url]http://autos.msn.com/components/ocx/survid/MSSurVid.cab[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/components/ocx/exterior/Outside.cab[/url]
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - [url]http://download.abacast.com/download/files/abasetup140f1.cab[/url]
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
Posted by: Warez Monster
Remove these entries at your own risk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.earthlink.net/partner/mo...ton/search.html[/url] This entry should be fixed by HijackThis!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://start.earthlink.net/AL/Search[/url] This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about :blank This page could possibly be nasty.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://start.earthlink.net/AL/Search[/url] This entry should be fixed by HijackThis!
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll Entries found in this registry zone are potentially nasty. This application ([4E7BD74F-2B8D-469E-C0FF-FD60B590A87D] - Result: 4E7BD74F-2B8D-469E-C0FF-FD60B590A87D) has been checked
O4 - HKLM\..\Run: [lxcqqz] c:\winnt\system32\lxcqqz.exe Unknown application.
O4 - HKCU\..\Run: [ZovsRTJ6Q] fon40.exe Unknown application.
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe WORM_SDBOT.FO Must be fixed!
Posted by: kcnative
Thanks for the help! I deleted what I was able to find, but there were a few that were no longer there. I also deleted a few things I knew I didn't need anymore, like the highstream stuff.
I use Norton Antivirus Corporate Edition, and it's been telling me for a few days that I've got a virus called "trojan.dropper" on my computer. It tells the location, but I can't find the file when looking to find it. The quarantine failed, and I can't seem to nab it with any of the scans (I scanned and deleted all day yesterday). Can you point me in the right direction?
I did all of the scans and such yesterday, and just now redid a hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:53:51 AM, on 5/19/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DIGStream\digstream.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsj1B.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: [url]http://www.my.newhorizons.com[/url]
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - [url]http://central.clevercontent.com/02030035/cccabs/CleverContent.cab[/url]
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - [url]http://i.a.cnn.net/cnn/resources/cult3d/cult.cab[/url]
O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) - [url]http://radioshow.rcsworks.com/rsinstall/RSRadioTuner.Cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - [url]http://rd1.surfernetwork.com/surferplugin.ocx[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://207.188.7.150/10be703329eebb0b5a17/netzip/RdxIE601.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - [url]http://autos.msn.com/components/ocx/survid/MSSurVid.cab[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/components/ocx/exterior/Outside.cab[/url]
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - [url]http://download.abacast.com/download/files/abasetup140f1.cab[/url]
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
Posted by: kcnative
Actually, I just found the offending file (at least it's the one my antivirus told me) using powerdesk and deleted it. It seems to be different than previous file names though...like the exe files change periodically.
Edit: Nevermind...it's back again. "thin poker installer.exe" seems to be the filename of choice lately...
Posted by: Warez Monster
So is this your new log?
Posted by: kcnative
yes
Posted by: Warez Monster
Remove entries at your own risk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Should be fixed if you do not know the application or if no application is mentioned. Should be fixed if you do not know this application.
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsj1B.dll Entries found in this registry zone are potentially nasty. This application ([9ADE0443-2AB2-4B23-A3F8-AC520773DE12] - Result: ) has been checked.
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe Unknown application.
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - [url]http://central.clevercontent.com/02...everContent.cab[/url] Check if you know this site and fix it if you do not.
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - [url]http://rd1.surfernetwork.com/surferplugin.ocx[/url] Check if you know this site and fix it if you do not.
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - [url]http://download.abacast.com/downloa...asetup140f1.cab[/url] Check if you know this site and fix it if you do not.
Posted by: kcnative
Thanks again for the help! I deleted the listings you mentioned.
I'm still getting the notification about the "trojan.dropper" virus present on my computer, however. Do you know how to go about getting rid of that one?
Posted by: Warez Monster
You can post another log, if I see it in there again, well then it keeps regenerating so we gotta take another route.
Posted by: Warez Monster
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Restart the computer in Safe mode or VGA mode.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as Trojan.Dropper.