damn pc virus/trojan...need help please
07-19-04, 01:04 PM
#1
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
damn pc virus/trojan...need help please
last night my wife saw an email and thought I was doing something I wasn't supposed to be and clicked on the link. it was hidden in some "sexy vid" or something like that file. of course she wanted to see what I was supposed to have been looking at.then it happened; my virus scan popped up with this virus. it is a major pain in the ass.
this thing killed my virus scan, firewall and system restore. I think I removed everything on it but I still must have a few remnants around. I did a safe boot virus scan and regedit. everything seems to be removed(or atleast that is what norton is telling me). the problem is that with everything stated as gone I still can't access the internet with my cable modem. for a while I couldn't even use dialup but that fixed itself I guess. this virus is called backdoor.prorat. that's all I know. Luna was very kind in helping me search on it and there are a few variations. I did find a system recovery disc for it but I can only do a full recovery with it. as of right now I have 2 side effects from this thing.
1. I can't get online with my cable modem
2. I keep getting messenger popups from ZA about it wanting to be a server
does anyone know what settings I could check to see why my high speed connection doesn't work? it's not the modem itself because I'm using it now with another pc.
also, if all system restore are gone and this virus no longer shows up on any scans(normal, safe boot) how can I find out why I have these couple of probs.?
EDIT:
i can't make a useable backup disc because my laptop needs a floppy which it doesn't.
this thing killed my virus scan, firewall and system restore. I think I removed everything on it but I still must have a few remnants around. I did a safe boot virus scan and regedit. everything seems to be removed(or atleast that is what norton is telling me). the problem is that with everything stated as gone I still can't access the internet with my cable modem. for a while I couldn't even use dialup but that fixed itself I guess. this virus is called backdoor.prorat. that's all I know. Luna was very kind in helping me search on it and there are a few variations. I did find a system recovery disc for it but I can only do a full recovery with it. as of right now I have 2 side effects from this thing.
1. I can't get online with my cable modem
2. I keep getting messenger popups from ZA about it wanting to be a server
does anyone know what settings I could check to see why my high speed connection doesn't work? it's not the modem itself because I'm using it now with another pc.
also, if all system restore are gone and this virus no longer shows up on any scans(normal, safe boot) how can I find out why I have these couple of probs.?
EDIT:
i can't make a useable backup disc because my laptop needs a floppy which it doesn't.
Last edited by ChrisHicks; 07-19-04 at 01:19 PM.
07-19-04, 02:54 PM
#2
DVD Talk Godfather
Here's what trendmicro.com had to say about this type of virus
I hope you find something that helps. They also have free online virus scanning if you can ever get that computer online.
I hope you find something that helps. They also have free online virus scanning if you can ever get that computer online.
07-19-04, 04:02 PM
#3
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
update:
I am now back online with the pc that was infected. it appears(hopefully) that it is now clean(crosses fingers). I have norton and zone alarm working again. I also used the free virus scan at www.trendmicro.com and said I was clean too. the only thing I can't figure out is that now messenger(msmsgs.exe) is running in the background and I can't stop it.
I am now back online with the pc that was infected. it appears(hopefully) that it is now clean(crosses fingers). I have norton and zone alarm working again. I also used the free virus scan at www.trendmicro.com and said I was clean too. the only thing I can't figure out is that now messenger(msmsgs.exe) is running in the background and I can't stop it.
07-19-04, 04:54 PM
#4
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
UPDATE #2:
I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.
================================================== =======================
EDIT: Spybot found the following items:
CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm
Aornum: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3
FreeScratchAndWin: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
are all these safe to remove/delete? I know about the cookies but what about the rest?
I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.
================================================== =======================
EDIT: Spybot found the following items:
CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm
Aornum: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3
FreeScratchAndWin: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
are all these safe to remove/delete? I know about the cookies but what about the rest?
07-19-04, 05:58 PM
#5
Senior Member
Join Date: Dec 1999
Posts: 327
Likes: 0
Received 0 Likes
on
0 Posts
Try this:
http://www.grc.com/stm/shootthemessenger.htm
to stop the ms messenger service using that tool.
http://www.grc.com/stm/shootthemessenger.htm
to stop the ms messenger service using that tool.
07-19-04, 06:17 PM
#6
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
the program that keeps running is msmsgs.exe. is that the same messenger? it keeps wanting to act as a server according to ZA. I just blocked its access and did the "don't show this message again" for it because it was getting annoying.
07-19-04, 06:26 PM
#7
Senior Member
Join Date: Dec 1999
Posts: 327
Likes: 0
Received 0 Likes
on
0 Posts
Yes i believe it is, i have been using tools over at GRC, i've used a number of the tools including his Shields Up to test my firewalls. Give it a try. All it does is help you to disable the messenger service which really doesn't do anything for the end user.
07-19-04, 08:16 PM
#8
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by ChrisHicks
UPDATE #2:
I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.
================================================== =======================
EDIT: Spybot found the following items:
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm
Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
are all these safe to remove/delete? I know about the cookies but what about the rest?
UPDATE #2:
I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.
================================================== =======================
EDIT: Spybot found the following items:
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm
Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
are all these safe to remove/delete? I know about the cookies but what about the rest?
Cydoor is spyware usually found in P2P programs such as kazaa
The DSO exploits, I can't explain them, but it takes a registry entry to remove them completely. Needs to be removed
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
The bad one! Go here http://www.pestpatrol.com/PestInfo/r/roings_com.asp
and do an online scan-the Button is at the top right of the webpage, says "Free Pest Scan". It should detect and remove for you! If it doesn't then the manual way is:
1)Stop Running Processes:
Kill these running processes with Task Manager: unstall.exe
2)Unregister DLLs:
Unregister these DLLs with Regsvr32, then reboot:
systemroot+\system\wat.dll
systemroot+\system32\wat.dll
3)Clean the registry entries
HKEY_CLASSES_ROOT\clsid\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\clsid\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\software\classes\clsid\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\software\roimoi
4)Remove Files:
Remove these files (if present) with Windows Explorer:
systemroot+\system\wat.dll
systemroot+\system32\wat.dll
unstall.exe
Hope this helps
PS: Download Hijackthis and unzip to a folder NOT on the desktop or temp directory and exectute the program>click on the scan button, when finished the scan will turn to "savelog". Save the log to the hard drove. Locate and Open the log file with notepad (make sure this file type is unchecked) and copy and paste the contents back to this thread.
I can read (dicipher) HijackThis much easier
thanks
Last edited by 68ShelbyGT500KR; 07-19-04 at 08:20 PM.
07-19-04, 08:19 PM
#9
DVD Talk Hero
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes
on
0 Posts
msmsgs is ms messenger. it can be stopped by going into msconfig under the services tab, no need to use a 3rd party program to do it
07-19-04, 09:07 PM
#10
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by 68ShelbyGT500KR
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
The bad one! Go here http://www.pestpatrol.com/PestInfo/r/roings_com.asp
and do an online scan-the Button is at the top right of the webpage, says "Free Pest Scan". It should detect and remove for you! If it doesn't then the manual way is:
Kill these running processes with Task Manager: unstall.exe
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
The bad one! Go here http://www.pestpatrol.com/PestInfo/r/roings_com.asp
and do an online scan-the Button is at the top right of the webpage, says "Free Pest Scan". It should detect and remove for you! If it doesn't then the manual way is:
Kill these running processes with Task Manager: unstall.exe
Originally posted by 68ShelbyGT500KR
PS: Download Hijackthis and unzip to a folder NOT on the desktop or temp directory and exectute the program>click on the scan button, when finished the scan will turn to "savelog". Save the log to the hard drove. Locate and Open the log file with notepad (make sure this file type is unchecked) and copy and paste the contents back to this thread.
I can read (dicipher) HijackThis much easier
thanks
PS: Download Hijackthis and unzip to a folder NOT on the desktop or temp directory and exectute the program>click on the scan button, when finished the scan will turn to "savelog". Save the log to the hard drove. Locate and Open the log file with notepad (make sure this file type is unchecked) and copy and paste the contents back to this thread.
I can read (dicipher) HijackThis much easier
thanks
here you go:
Logfile of HijackThis v1.98.0
Scan saved at 9:11:35 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horrordvds.com/vb3forum/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.horrordvds.com/vb3forum/"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{040E6040-CDC5-4D61-81AC-C3031484AB8B}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{040E6040-CDC5-4D61-81AC-C3031484AB8B}: NameServer = 205.188.146.146
07-19-04, 09:34 PM
#11
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
I don't see anything wrong with you HijackThis log file.
FYI. {E0E899AB-F487-11D5-8D29-0050BA6940E3} is associated with Flashget (fgiebar.dll) ok no problems there
Out of curiosity, navigate to C:\WINDOWS\system32\RAMASST.exe in win explorer and richt click on the file>select properties>Version...What company is associated with that file? Toshiba?
Did Pest Scan detect and/or remove the Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb etc...?
FYI. {E0E899AB-F487-11D5-8D29-0050BA6940E3} is associated with Flashget (fgiebar.dll) ok no problems there
Out of curiosity, navigate to C:\WINDOWS\system32\RAMASST.exe in win explorer and richt click on the file>select properties>Version...What company is associated with that file? Toshiba?
Did Pest Scan detect and/or remove the Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb etc...?
07-19-04, 09:44 PM
#12
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
I never ran Pest Scan. when I go to their site the free scan spot never loads for me. all I get is a blank box. this Hijackthis log was done without me doing anything since my post about Spybot.
07-19-04, 09:51 PM
#13
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by 68ShelbyGT500KR
Out of curiosity, navigate to C:\WINDOWS\system32\RAMASST.exe in win explorer and richt click on the file>select properties>Version...What company is associated with that file? Toshiba?
Out of curiosity, navigate to C:\WINDOWS\system32\RAMASST.exe in win explorer and richt click on the file>select properties>Version...What company is associated with that file? Toshiba?
07-19-04, 10:10 PM
#14
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by ChrisHicks
UPDATE #2:
I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.
================================================== =======================
EDIT: Spybot found the following items:
CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm
Aornum: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3
FreeScratchAndWin: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
are all these safe to remove/delete? I know about the cookies but what about the rest?
UPDATE #2:
I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.
================================================== =======================
EDIT: Spybot found the following items:
CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm
Aornum: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3
FreeScratchAndWin: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)
Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb
are all these safe to remove/delete? I know about the cookies but what about the rest?
I had a problem with the DSO Exploits returning and evenutally had to modify the registry entry to clear it from SpyBot
in case you weren't aware, if you highlight an item, to the far right of the SpyBot screen, it should give you a little info of the item
07-19-04, 11:22 PM
#16
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by ChrisHicks
I ran the pest scan and it didn't show the Roings file.
I ran the pest scan and it didn't show the Roings file.
Do the spybot thing and if it "see's" anything in red, let it zap it off your system
How did you finally get Pestscan to work for you?
07-28-04, 08:46 PM
#18
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
ok here is a question...
I just updated my Spybot definitions and did a scan. in the process this same trojan(the one this thread is about) popped up by Norton. I remember doing a scan with AdAware and it picked up something from my registry the day I got the trojan. I thought I deleted the backup but I guess I didn't.
I didn't get reinfected as far as I can tell since Norton says it's automatically deleted. but it does have a backup of the 2 files. I rechecked my registry for any hints of this trojan and found nothing. my AV and Firewall are still working properly.
I just have a remnant of this somewhere on my pc. I think it is in AdAware. do I have to do anything besides deleting my AdAware backup and my Norton backup? should I boot into safe mode to delete this stuff and rerun my AV?
the thing that has me concerned is one of the 2 files is called "services.exe". on Symantecs site they list the name as "Sservice.exe".
what should I do?
I just updated my Spybot definitions and did a scan. in the process this same trojan(the one this thread is about) popped up by Norton. I remember doing a scan with AdAware and it picked up something from my registry the day I got the trojan. I thought I deleted the backup but I guess I didn't.
I didn't get reinfected as far as I can tell since Norton says it's automatically deleted. but it does have a backup of the 2 files. I rechecked my registry for any hints of this trojan and found nothing. my AV and Firewall are still working properly.
I just have a remnant of this somewhere on my pc. I think it is in AdAware. do I have to do anything besides deleting my AdAware backup and my Norton backup? should I boot into safe mode to delete this stuff and rerun my AV?
the thing that has me concerned is one of the 2 files is called "services.exe". on Symantecs site they list the name as "Sservice.exe".
what should I do?
07-28-04, 08:57 PM
#19
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Where is the file located? C:\Windows\System32? If so, it should be ok. You can right click on the file, select properties and click on the "Version" tab, it should say Microsoft as the company. File size is
99.0 KB (101,376 bytes).
Double check on the exact spelling of the file in question!!
any other locations that may be present on your computer, take a look at this writeup:
http://www.neuber.com/taskmanager/pr...vices.exe.html
Don't forget to disable System Restore, Reboot to clear the Trojan/Viruses, otherwise the AV Scanner *should* still detect it.
99.0 KB (101,376 bytes).
Double check on the exact spelling of the file in question!!
any other locations that may be present on your computer, take a look at this writeup:
http://www.neuber.com/taskmanager/pr...vices.exe.html
Don't forget to disable System Restore, Reboot to clear the Trojan/Viruses, otherwise the AV Scanner *should* still detect it.
Last edited by 68ShelbyGT500KR; 07-28-04 at 09:00 PM.
07-28-04, 09:38 PM
#20
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
it's located in C:\windows
file size is 324kb.
should I reboot in safe mode? should I delete the backups that Norton created? what about the file in Adaware? is it safe to delete that file since I already edited the registry for that when I was hit last week? no changes have been made to the registry as far as I can tell. none of the registry changes are there. when I delete the backups will the virus be rereleased on my pc?
file size is 324kb.
should I reboot in safe mode? should I delete the backups that Norton created? what about the file in Adaware? is it safe to delete that file since I already edited the registry for that when I was hit last week? no changes have been made to the registry as far as I can tell. none of the registry changes are there. when I delete the backups will the virus be rereleased on my pc?
07-28-04, 09:56 PM
#21
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by ChrisHicks
it's located in C:\windows
file size is 324kb.
should I reboot in safe mode? should I delete the backups that Norton created? what about the file in Adaware? is it safe to delete that file since I already edited the registry for that when I was hit last week? no changes have been made to the registry as far as I can tell. none of the registry changes are there. when I delete the backups will the virus be rereleased on my pc?
it's located in C:\windows
file size is 324kb.
should I reboot in safe mode? should I delete the backups that Norton created? what about the file in Adaware? is it safe to delete that file since I already edited the registry for that when I was hit last week? no changes have been made to the registry as far as I can tell. none of the registry changes are there. when I delete the backups will the virus be rereleased on my pc?
In your HijackThis log dated
Logfile of HijackThis v1.98.0
Scan saved at 9:11:35 PM, on 7/19/2004. In the running process,you have the correct path to services.exe . Somewhere between that date and today you created another problem. Can you run another HijackThis log after you finish?
07-28-04, 10:03 PM
#22
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
I do have a services.exe located in the system32 file. size is 98kb.
here is the log:
Logfile of HijackThis v1.98.0
Scan saved at 10:07:49 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MYIE2\MyIE.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horrordvds.com/vb3forum/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.horrordvds.com/vb3forum/"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
here is the log:
Logfile of HijackThis v1.98.0
Scan saved at 10:07:49 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MYIE2\MyIE.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horrordvds.com/vb3forum/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.horrordvds.com/vb3forum/"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
07-28-04, 10:09 PM
#23
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Your HiJack Log is squeaky clean! It should be safe to delete the adaware and norton backups. You can also delete the c:\Windows\services.exe file, the 324kb one (not the one in the system32 folder). Normal mode should delete the files/bakcups with no problem.
Run a complete scan with Norton and Adaware when done. If no problems (clean) then re-enable System Restore if you wish.
Run a complete scan with Norton and Adaware when done. If no problems (clean) then re-enable System Restore if you wish.
07-28-04, 10:12 PM
#24
DVD Talk Ultimate Edition
Thread Starter
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes
on
0 Posts
just reran norton and my pc came back clean. should I delete the adaware backup and the norton backup? should I still disable restore and rescan while in safe mode?
07-28-04, 10:16 PM
#25
DVD Talk Gold Edition
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by ChrisHicks
just reran norton and my pc came back clean. should I delete the adaware backup and the norton backup? should I still disable restore and rescan while in safe mode?
just reran norton and my pc came back clean. should I delete the adaware backup and the norton backup? should I still disable restore and rescan while in safe mode?
