Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Hmm...trojan Help
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Hmm...trojan Help  
Forum Quick Jump
 
New Topic Post reply to : Hmm...trojan Help Printable version of : Hmm...trojan Help
[ << Previous Thread | Next Thread >> ]

Amy
New Member


Date Joined Jun 2004
Total Posts : 5
  		   Posted 7-26-2004 11:49 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
So i've gone through quite a process....running Bullguard for over 30 hours first (I posted the log below).  After it was at 100% (but still didn't stop) I closed it out and closed both that and Mccaffe entirely, and then ran hijack this...and got the log below.  I have turned off system restore, but I don't know what I need to do now, and strangely the computer is running at at least 50 times the speed it has been for the past day or so.  Anyway, help?
 
 
Logfile of HijackThis v1.97.7
Scan saved at 4:38:13 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\system32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BullGuard\bgnewsag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\TEMP.JEPPSON.001\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [FLSYFMSZC] C:\WINDOWS\FLSYFMSZC.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\OneTouchMon.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] c:\program files\bullguard\bgnewsag.exe
O4 - HKLM\..\Run: [McafDellTag] C:\Program Files\McAfee.com\Agent\mcdeltag.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://travel.beminc.com/iNotes6.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
 
 
BullGuard report file
//
// Created on: 25/07/2004 10:24:30
//
//-----------------------------------------------------------------

Summary:
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>CmnIds.vbs Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/arrow_right.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/btn_signup_52x20.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/more_info.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_bottom.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_bottom_red.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_top.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_top_red.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/transpix.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/watermark_mys_150x130.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>oemcfg.vbs Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>OEMIds.vbs Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>valert.htm Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>valert_old.htm Password protected
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Belt.exe Infected Trojan.Downloader.Stubby.A
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Belt.exe Disinfection failed - Trying second action
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Belt.exe Moved
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Installer2.exe=>(Embedded EXE o) Infected Trojan.Clicker.Delf.R
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Installer2.exe=>(Embedded EXE o) Disinfection failed - Trying second action
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Installer2.exe=>(Embedded EXE o) Move failed
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\ncmyb.dll Infected Adware.1088
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\ncmyb.dll Disinfection failed - Trying second action
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\ncmyb.dll Moved
C:\Documents and Settings\Samantha Jeppson\Local Settings\Temp\~7772838386.tmp Infected Trojan.Downloader.Siboco.A
C:\Documents and Settings\Samantha Jeppson\Local Settings\Temp\~7772838386.tmp Deleted
Statistics
Scan path : A:\
  C:\
  D:\
  E:\
Folders : 1903
Files :  162106
Archives : 4615
Packed files : 9220
Identified viruses : 4
Infected files : 4
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 1
Copied files : 0
Moved files : 2
Renamed files : 0
I/O errors : 13
Scan time : 29:55:22
Scan speed (files/sec) : 1
Virus definitions : 87568
Scan plugins : 12
Archive plugins : 36
Unpack plugins : 3
Mail plugins : 6
System plugins : 1
Scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user
Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report
 
 
Back to Top
 

Amy
New Member


Date Joined Jun 2004
Total Posts : 5
  		   Posted 7-27-2004 12:52 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
New after CWShredder. Please help me. Please.


Logfile of HijackThis v1.97.7
Scan saved at 5:51:10 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BullGuard\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TEMP.JEPPSON.001\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [FLSYFMSZC] C:\WINDOWS\FLSYFMSZC.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\OneTouchMon.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] c:\program files\bullguard\bgnewsag.exe
O4 - HKLM\..\Run: [McafDellTag] C:\Program Files\McAfee.com\Agent\mcdeltag.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://travel.beminc.com/iNotes6.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 7-27-2004 5:03 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
Hi Amy
Install a firewall: http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
If you use Bullguard´s firewall-deactivate it!
And deactivate one of your virus programs.
Deactivate sysemrestore.
Run Hijackthis, close all other windows, put a checkmark to these, and FIX:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [FLSYFMSZC] C:\WINDOWS\FLSYFMSZC.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
Find and delete:
C:\WINDOWS\System32\system32.exe <<<Exe File
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL >>>Folder
C:\WINDOWS\FLSYFMSZC.exe <<<<<File
Boot to normal mode, and run: http://housecall.trendmicro.com/ 
And post a new log
Back to Top
 

Amy
New Member


Date Joined Jun 2004
Total Posts : 5
  		   Posted 7-27-2004 6:11 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
I've done everything you've suggested, up until finding and deleting the files and folder above.  I could not find them.  Is there a better way to try and find them other than start--->search?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 7-27-2004 6:17 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
Try finding from explorer.
Back to Top
 

Amy
New Member


Date Joined Jun 2004
Total Posts : 5
  		   Posted 7-27-2004 6:21 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
sorry. I feel stupid asking this, but how?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 7-27-2004 7:35 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
There is no stupid questions, only stupid answersyeah
 
Open Explorer, through- My Computer- C-drive., find
C:\WINDOWS\System32\system32.exe <<<Exe File
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL >>>Folder
C:\WINDOWS\FLSYFMSZC.exe <<<<<File
 
Doubleclick on Windows, find system32 folder below, doubleclick, and find system32  exe- delete it
 
Same procedure with the others
Back to Top
 

Amy
New Member


Date Joined Jun 2004
Total Posts : 5
  		   Posted 7-27-2004 8:30 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
Hi.

system32.exe won't let me delete it, as it is access denied...MYBAR.DLL is now gone, and I can't find FLSYFMSZC.exe. How do I override the access denied to delete the system32.exe file?
Back to Top
 

old_fart
New Member


Date Joined Jun 2004
Total Posts : 35
  		   Posted 7-28-2004 12:26 (GMT +1)    Quote: Hmm...trojan HelpAlert an admin about: Hmm...trojan Help
Amy

Saw that no one picked up your last post, so thought I'd give it a go.

Here is a site that has a downloadable scanner and remover for system32.exe

http://www.2-spyware.com/file-system32-exe.html

You can not remove it because it is running. Open TaskManager and look for it in processes. Stopit, and then delete it. It may come back on boot. You will need to turn off SystemRestore, and then remove it.

You may also have some registry entries that are affecting it, and may cause you to get a pop up on boot stating that you have a missing file - System32.exe. All will still work, but it is annoying.

If you have never edited the registry, it can be tricky, so you may not want to try it.

Another approach would be to kill the .exe, remove the file, and then do a Systemrestore to some previous date. prior to the infection. Of, course, this won't work if you have already turned it off.

Multiple AV progs running interfere with each other. One of the best I have found is AVG from Grisoft, free too. It is the least intrusive, and can find these trojans on a scan.

I will unfortunatly be working on my XP box tonight, so E-mail me if you are on. I don't do messaging, also too intrusive, but I can answer questions through E-mail

You can post here if you don't find my E-mail.  double click on my profile and it is in the comments.

Post Edited (old_fart) : 7/27/2004 11:31:17 PM GMT

Back to Top
 
New Topic Post reply to : Hmm...trojan Help Printable version of : Hmm...trojan Help
 
Forum Information
Currently it is Friday, January 09, 2009 11:51 PM (GMT +1)
There are a total of 66.009 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 108 reply posts. View Active Threads
Who's Online
This forum has 27804 registered members. Please welcome our newest member, revmrf.
56 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Windows antivirus 2009 (4)09-01-2009 22:25:35 (castleclan)
Google redirect virus help (6)09-01-2009 20:36:39 (phinfan)
Connection to server timeout (0)09-01-2009 20:35:36 (revmrf)
Hijackthis (2)09-01-2009 19:41:14 (fingers101)
Need help with removing viruses ∼tmpa and ∼tmpc!!! (4)09-01-2009 19:26:11 (Strummer89)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard