BetterInternet, Start up Trojan, Aurora HELP!!!

Question

Rsilen 0 Newbie Poster

18 Years Ago

I am drowning with some virus problems. Can someone PLEASE help me.
I am a new user and It seems I have some how contracted some terrible problems. No matter how many times I delete and scan and redelete I am unable to rid my system of these...namely:

transponder.abetterinternet.aurora
trojan.startup.Oe3df3

My internet is so slow it makes it very difficult to work.
My Norton picks them up and deletes but when I reboot they are instantly there again so I figure something else is lurking and re-introducing them each time on start up or something....??

Please help as I am desperate. I have been following along with several forums where people have similar problems but I don't have the technical savvy to go it alone :cry:
Your help is very much appreciated.

Thanks,

Roger S.

Logfile of HijackThis v1.99.1
Scan saved at 4:37:04 PM, on 06/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon Silen\My Documents\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?367150&f30574ac6f359e8e1b22b87c2081d33c
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Hot Fix - {C0ADA2BE-8247-4F13-A9E5-B2DE5EC4F752} - C:\WINDOWS\System32\hchvr.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [egogaa] c:\windows\system32\mrbarz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.ttcglobaltalk.com/download/ivsetup3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E300D1-6A24-48CE-9FA0-7E369CABBB60}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFFAE3F0-FF1A-4654-96EC-4428C8D55C92}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: THKEYS - Unknown owner - C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe

Thanks a zillion!!

windows-virus

2 Contributors
14 Replies
234 Views
2 Days Discussion Span
Latest Post 18 Years Ago Latest Post by crunchie

All 14 Replies

crunchie 990 Most Valuable Poster

18 Years Ago

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

crunchie 990 Most Valuable Poster

18 Years Ago

You still have a couple of things there that need removing...

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O2 - BHO: Internet Explorer Hot Fix - {C0ADA2BE-8247-4F13-A9E5-B2DE5EC4F752} - C:\WINDOWS\System32\hchvr.dll (file missing)

O4 - HKLM\..\Run: [egogaa] c:\windows\system32\mrbarz.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

c:\windows\system32\mrbarz.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

crunchie 990 Most Valuable Poster

18 Years Ago

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

crunchie 990 Most Valuable Poster

18 Years Ago

Can you explain the problems? Your log still looks clear.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Rsilen 0 Newbie Poster · Answer 1 · 2005-06-06T12:34:44+00:00

I really appreciate your help. I hope this does it!! Please let me know
if it looks okay. Here are the logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           11:02:42 PM, 06/05/2005
+ Report-Checksum:      1ADD9B67


+ Date of database:     06/06/2005
+ Version of scan engine:   v3.0


+ Duration:             44 min
+ Scanned Files:            64929
+ Speed:                24.42 Files/Second
+ Infected files:           53
+ Removed files:            53
+ Files put in quarantine:      53
+ Files that could not be opened:   0
+ Files that could not be cleaned:  0


+ Binder:       Yes
+ Crypter:      Yes
+ Archives:     Yes


+ Scanned items:
C:\


+ Scan result:
C:\Documents and Settings\Jon Silen\Cookies\jon [email]silen@adknowledge[1].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jon Silen\Cookies\jon [email]silen@www.myaffiliateprogram[2].txt[/email] -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jon Silen\Local Settings\Temp\198.tmp\thnall1a.exe -> Spyware.BetterInternet.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\29A64EB6-ACB7-482C-9FEB-B4D47E\5741674F-D3AF-49BD-8787-18AB7F -> Spyware.SBSoft.h -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8ED0EB0C-C2E7-4BB0-9ABE-C1C019\B98312C9-02E0-48B1-8367-C7ED9D -> Spyware.SBSoft.h -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP22\A0000685.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP22\A0001640.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP22\A0002640.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP22\A0003640.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0003779.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0004777.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0005776.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0005789.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0005799.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0006794.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0007797.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0008794.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0009794.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0009807.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0009808.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0010796.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0010808.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0010810.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0010820.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP24\A0010900.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0012927.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0012967.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0012968.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0012979.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0013009.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0013011.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0013013.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0013035.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0013037.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP37\A0013051.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013087.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013090.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013108.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013113.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013121.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013122.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013127.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013130.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0013139.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0014125.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0014142.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0014155.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0014166.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP38\A0014169.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP4\A0000325.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP4\A0000343.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP4\A0000347.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{71540F4E-C400-4C76-92E3-63314A012072}\RP4\A0000348.exe -> Spyware.BetterInternet -> Cleaned with backup



::Report End


Logfile of HijackThis v1.99.1
Scan saved at 11:13:56 PM, on 06/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jon Silen\My Documents\HIJACK THIS\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?367150&f30574ac6f359e8e1b22b87c2081d33c
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Hot Fix - {C0ADA2BE-8247-4F13-A9E5-B2DE5EC4F752} - C:\WINDOWS\System32\hchvr.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [egogaa] c:\windows\system32\mrbarz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.ttcglobaltalk.com/download/ivsetup3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E300D1-6A24-48CE-9FA0-7E369CABBB60}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFFAE3F0-FF1A-4654-96EC-4428C8D55C92}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: THKEYS - Unknown owner - C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe

P.S. My internet still seems rather sluggage.....maybe that's another problem??!!
Cheers,

Roger S.

Rsilen 0 Newbie Poster · Answer 2 · 2005-06-06T13:03:32+00:00

Thanks again for your speed and efficiency.

I fixed the files you posted but I was unable to locate
the mrbarz.exe for deletion, I hope it's not hiding somehow.
I am able to view system and hidden files/folders.

I have rebooted my system here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:22 PM, on 06/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jon Silen\My Documents\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?367150&f30574ac6f359e8e1b22b87c2081d33c
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.ttcglobaltalk.com/download/ivsetup3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E300D1-6A24-48CE-9FA0-7E369CABBB60}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFFAE3F0-FF1A-4654-96EC-4428C8D55C92}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: THKEYS - Unknown owner - C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe

Thanks again,

Roger S.

Rsilen 0 Newbie Poster · Answer 3 · 2005-06-07T05:31:37+00:00

Unfortunately I'm back!! I am still having problems although
much less severe. I have posted another Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:30:19 PM, on 06/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\Macromed\Download\Download.exe
C:\DOCUME~1\JONSIL~1\LOCALS~1\Temp\MSW10.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon Silen\My Documents\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?367150&f30574ac6f359e8e1b22b87c2081d33c
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunOnce: [a_usdll] cmd /C "del C:\WINDOWS\system32\Macromed\Download\Download.dll"
O4 - HKLM\..\RunOnce: [b_usexe] cmd /C "del C:\WINDOWS\system32\Macromed\Download\Download.exe"
O4 - HKLM\..\RunOnce: [c_usdir] cmd /C "rmdir /Q C:\WINDOWS\system32\Macromed\Download"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.ttcglobaltalk.com/download/ivsetup3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E300D1-6A24-48CE-9FA0-7E369CABBB60}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFFAE3F0-FF1A-4654-96EC-4428C8D55C92}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: THKEYS - Unknown owner - C:\Program Files\Toshiba\Toshiba Applet\thkeys.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\Toshiba\Toshiba Applet\tme3srv.exe

Thanks so much for your help,

Roger S.

Rsilen 0 Newbie Poster · Answer 4 · 2005-06-07T23:30:22+00:00

Ya,

I still get a POP UP that mimics a microsoft security little grey window
that tells me there is some malicious activity happening and of course if I
click on the warning it takes me to some weird website. When it happens
again I will post more exact info.( where it leads too etc...)
Shouldn't be too long.

The second is when I go to navigate to a website I will be re-directed to some XXX ad site instead of the one I am supposed to see. This is random and happens regularly. The websites that I navigate when it happens are always different.

Thanks again. Hope this helps....

Rsilen 0 Newbie Poster · Answer 5 · 2005-06-07T23:34:34+00:00

One more thing is it appears my browser will automatically click back a few screens at the strangest of times. I will go to a site like my email I will be reading an email and then I hear a click, click ,click and I'm back a few screens!!?? Does that sound strange? This has happened several times completely randomly as far as I can tell.......Or maybe I'm just crazy!

Roger S.

Rsilen 0 Newbie Poster · Answer 6 · 2005-06-07T23:37:54+00:00

I just got another popup!!! This is the address it points too under properties!
I don't know if this tells you anything.
http://neogambling.com/strip-poker.jpg

Rsilen 0 Newbie Poster · Answer 7 · 2005-06-07T23:41:29+00:00

This time I went to go to my Yahoo mail account and I punched in www.yahoo.com and this other poker window thing came up instead.
Very frustrating...

There my window just automatically backed up....I'm not crazy after all I had to press forward just now in my browser window to finish this post..

Rsilen 0 Newbie Poster · Answer 8 · 2005-06-07T23:48:19+00:00

Sorry for so many short posts.
here's the full text for the microsoft mimic window:

Windows Security Center (this is alittle grey box)
WARNING: Windows firewall detected suspicious network activity on your
computer. Malicious software codes try to steal your privacy information
such as credit card numbers, electronic mail accounts, financial data or
passwords.
Do you want to learn how to protect your computer?

Cheers,

Roger S.

Rsilen 0 Newbie Poster · Answer 9 · 2005-06-08T00:35:38+00:00

I just ran a startup report with Ewido, some of the programs look
suspicious to me. Maybe you can take a look:
I've bolded the ones I think might be a problem
---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 11:32:11 AM, 06/07/2005
+ Report-Checksum: 811918D8

Reg\HKLM\Run Apoint C:\Program Files\Apoint2K\Apoint.exe
Reg\HKLM\Run DpUtil C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
Reg\HKLM\Run ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
Reg\HKLM\Run THotkey C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
Reg\HKLM\Run TPWRSAVE C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
Reg\HKLM\Run TMEPROP C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
Reg\HKLM\Run ATIModeChange Ati2mdxx.exe
Reg\HKLM\Run ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Reg\HKLM\Run NDSTray.exe NDSTray.exe
Reg\HKLM\Run LtMoh C:\Program Files\ltmoh\Ltmoh.exe
Reg\HKLM\Run PRONoMgr.exe C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
Reg\HKLM\Run gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Reg\HKLM\Run Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Reg\HKLM\Run Drag'n Drop CD+DVD C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
Reg\HKLM\Run SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
Reg\HKLM\RunOnce a_usdll cmd /C "del C:\WINDOWS\system32\Macromed\Download\Download.dll"
Reg\HKLM\RunOnce b_usexe cmd /C "del C:\WINDOWS\system32\Macromed\Download\Download.exe"
Reg\HKLM\RunOnce c_usdir cmd /C "rmdir /Q C:\WINDOWS\system32\Macromed\Download"
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run Skype "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
Shell\CommonStartup RAMASST.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2005-06-08T17:09:21+00:00

All those files are ok.

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Go into your favourites folder and delete any that did not come with Internet Exploder or that you have added.

Go to http://grc.com/stm/shootthemessenger.htm and download shoot the messenger and follow the instructions. This will disable Windows Messenger. Ignore this if you need it.

BetterInternet, Start up Trojan, Aurora HELP!!!

Recommended Answers Collapse Answers

All 14 Replies

Recommended Answers