Tr0jan v. has control of my comp. I can't run H!jackTh!s

Discussion in 'adware, spyware & hijack cleaning' started by garrett678, May 19, 2004.

Thread Status:
Not open for further replies.
  1. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    What should I do? The tr0jan doesn't let me do certain searches (ie automatically closes the browser window if it contains certain words like v!ru s or H!jackTh!s). How do I combat this beast?


    Thanks for your help!
     
  2. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Ran an Online V!rus search with Symantec Security and found the following:

    C:\WINDOWS\SYSTEM32\odbc.hta is infected with VBS.StartPage
    C:\WINDOWS\SYSTEM32\wininit32.exe is infected with W32.Xabot.Worm
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP104\A0005042.exe is infected with W32.IRCBot.Gen
    C:\Program Files\Outlook Express\outl32c.exe is infected with Backdoor.Jeem
    C:\Program Files\Outlook Express\outlkl.exe is infected with Trojan dropper
    C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-6fb58320.zip is infected with Trojan.ByteVerify

    What to do?
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi garrett678 :)

    Welcome to Wilders.

    U still can't download HijackThis?

    If not, send me a PM with your email addy and i'll email u a copy of HijackThis.

    When u recieve it, just move it to it's own folder, unzip, scan and post the log here.


    snowbound
     
  4. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    I had a copy of HJ Th!s from a previous Tr0jan encounter but it can't be opened (just like other antiv!rus programs or webpages that scan for them except for Symantec's website, thats where I got the previous info from)
     
  5. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    I just downloaded another copy of HJT but I can't open it... o_O :mad:
     
  6. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    After doing alt-control-del, for a split second, I can see that there are many things runnings at the same time under the "Processes" tab, then it's blocked off again
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi garrett678,

    If you can bring up the TaskManager (ctl+alt+del keys), and you see these files running:

    wininit32.exe
    msrexe.exe


    Try and end task on them if you can (especially the wininit32.exe)

    Then without rebooting, go to the on-line scan and do a FULL system scan.

    What is your operating system? And do you have a firewall installed and an antivirus?

    Regards,

    snap
     
  9. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    From what I can see, those two programs are not running. But that doesn't mean they aren't running behind my back as the processes tab is blocked off.. I get a millisec peek in once in a while and see a whole list of things running that doesn't show up on the "Applications" tab.

    I just ran the Panda Online scan (as my own Anti-Virus and HJT cannot be opened.. I open them and they get shut down).. and they disinfected 15 files.

    Virus:Trj/ClassLoader.B
    Virus:Exploit/ByteVerify (multiple ones)
    Virus:Trj/Downloader.CL Virus:Trj/Revop.F
    Virus:Bck/Jeem
    Virus:Trj/Downloader.G
    Virus:Trj/Runet.A
    Virus:Trj/StartPage.AY
     
  10. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    I'm on XP... I might have set up a firewall before but I don't remember
     
  11. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    For some reason I still can't get that HTJ to open.. :mad:
     
  12. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Okay after another glimpse of the "Processes" tab, wininit32.exe is indeed running.. how do I shut it down if I can't get to it in a millisecond?
     
  13. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Ok, that is a nasty worm:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html

    Since you are on XP, then go off line and boot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Then navigate to your C:\Windows\System32 folder. Find the wininit32.exe and delete it. If for some reason it won't let you delete it in safe mode (it should), then rename it.

    While you are in safe mode and in your System32 folder, look for a file called msrexe.exe. If you find that one, then do the same as you did with wininit32.exe.

    You can try and run your antivirus in safemode, but it may have been damaged by the worm.

    Try and go back on line and do a full system scan at one of the antivirus sites given in the link snowbound posted.

    Let us know how it goes, and if you have any questions, please ask first.

    There will be more steps involved, but lets try the above first.

    snap
     
  14. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    If you are unsure if your XP's firewall is on or not, then check these settings and make sure it is turned on.

    From Microsoft: http://www.microsoft.com/security/protect/firewall.asp

     
  15. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Hi guys.. thanks for your help.

    I ran Xp under Safe mode and found the wininit32.exe but not msrexe.exe. Then I deleted wininit32.exe. I was able to run a HJT and here's what I Found: (eee is my renamed HJT program)

    Logfile of HijackThis v1.97.7
    Scan saved at 11:25:14 PM, on 5/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andy\Desktop\eee.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\PopThis\PopThis.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security2\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security2\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
    O4 - HKLM\..\Run: [SysInit] wininit32.exe -services
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security2\UrlLstCk.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\RunServices: [SysInit] wininit32.exe -services
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
    O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  16. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    by the way, now that wininit32.exe has been deleted, I can see what's under the "processes" tab for alt-ctl-del (with a number of files running) and also was able to open and run HJT.

    My personal Anti-VIrus turned up nothing, but I"m runnin g the online Panda Antivirus right now..
     
  17. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    I'm still on Safe mode by the way..
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just tick these 3 entries for the trojan startup, then choose fix selected. You should close all windows except Hijack This usually, but since you deleted the file already this trojan is dead. Your system looks clean, go back to normal mode :)

    O4 - HKLM\..\Run: [SysInit] wininit32.exe -services

    O4 - HKLM\..\RunServices: [SysInit] wininit32.exe -services

    O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers

    I'd appreciate if in future you send suspected files to submit@diamondcs.com.au - deleting them out of a startup log with HiJackThis is of course most important so they arent running !
     
  19. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Online AntiVirus search turns up nothing bad...
     
  20. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Here's what I got after deleting those three that you suggested..
    What about the O3 entry?
    Thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:44:50 PM, on 5/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andy\Desktop\eee.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\PopThis\PopThis.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security2\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security2\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security2\UrlLstCk.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  21. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Well done garrett, I'm glad you got everything to work again.

    You can add these 2 to the list that Gavin has posted to be fixed in HijackThis:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)

    (and this one if you did not set it yourself)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Regards,

    snap
     
  22. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Why do I have several SVCHOST.Exe running at the same time? I have quite a few programs running under Processes from alt-ctl-del! Is that normaL?

    Here's the final HJT log:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:16 PM, on 5/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Lightning Download\Lightning.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe
    C:\Program Files\Lightning Download\Lightning.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Zinio\ZDLM.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andy\Desktop\hj.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\PopThis\PopThis.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security2\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security2\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security2\UrlLstCk.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  23. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Garrett, just a reminder, but you should now clear out your System Restore so there is no chance that the infected files could be restored if you should happen to need to use that feature.

    Turn OFF System Restore:
    1. On the Desktop, right-click My Computer.
    2. Click Properties.
    3. Click the System Restore tab.
    4. Check the box beside "Turn off System Restore".
    5. Click Apply, and then click OK.
    6. Restart the computer. (You must restart your computer to clear the old Restore Points)

    Turn System Restore ON:
    1. Follow the above Steps 1 to 3
    2. UNcheck the box beside "Turn off System Restore".
    3. Click Apply, and then click OK.
    4. Restart your computer.
    5. And set a new Restore Point.


    Regards,

    snap
     
  24. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Yes, that is normal to have more than one svchost.exe file running. I have about 3 to 4 sometimes depending on how many programs I have opened.

    As long as the svchost.exe is running in the Windows System32 folder and you have no other signs of infection, which you don't now. But it's always wise to do a scan after you've downloaded something, or been heavy surfing, just to be sure nothing has slipped into the computer unknown.

    You can read here on how to keep your computer clean:
    https://www.wilderssecurity.com/showthread.php?t=27971

    And also make sure you go to Microsoft's Update Site and download and have ALL the Critical Updates listed for XP and IE6, installed.

    Regards,

    snap
     
  25. garrett678

    garrett678 Registered Member

    Joined:
    May 19, 2004
    Posts:
    16
    Thank you guys.. I really appreciate it :)
     
Thread Status:
Not open for further replies.