Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 29th, 2008, 5:45pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   TH Not Completely Removing Trojan(s)		 « Previous topic | Next topic »
Pages: 1 2 3  4 Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: TH Not Completely Removing Trojan(s)  (Read 1859 times)
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
TH Not Completely Removing Trojan(s)
« on: Nov 2nd, 2007, 5:54am »		 Quote Quote  Modify Modify
Hi.  We have been fighting a trojan (or trojans) now for a couple of weeks.  Just when we think we have gotten rid of it, it comes back and haunts us.  We have tried:
 
1)  AdAware
2)  Spybot
3)  SpyHunter (free version)
4)  SuperAntiSpyware (free version)
5)  TrojanHunter (unlicensed version)
6)  Windows Defender
7)  Windows Malicious Software Remover
Cool  SmitFraudFix V2.240
 
It disables REGEDIT (which we know how to get back).
It disables CONTROL PANEL (which we know how to get back).
It disables our ability to change wallpaper (still confused with that one).
 
At first, we were finding printer.exe and winavxx.exe in c:\windows\system32 as well as printer.exe in our start explorer command in the registry.  We've deleted them a number of times....only to have them return eventually.  We've also found and cleaned Malware.LocusSoftwareInc/BestSellerAntivirus.  This dragon has a few heads....
 
We have upgraded to a licensed copy of TrojanHunter, updated it, and run it on both quick and full scan modes.  It finds various Trojans, cleans them, but they reappear.
 
We go into SAFE mode, run TrojanHunter full scan, run Smitfraudfix, then reboot in regular mode.  A bogus warning (Windows Security Alert with mispelled words) shows up within a few minutes, and our registry editor is disabled, as well as control panel and wallpaper.
 
I have the latest log from SmitFraudFix as well as the latest log from HiJackthis after we ran everything in safe mode and rebooted in normal mode.  It only took a minute to get the error message and lost our registry and control panel rights.
 
At your request, I will send you any scan logs that you require in order to figure out how these issues can be resolved.
 
Any help would be MOST appreciated.  Thank you....
 
 
« Last Edit: Nov 2nd, 2007, 6:00am by Tawanda70 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: TH Not Completely Removing Trojan(s)
« Reply #1 on: Nov 2nd, 2007, 7:13am »		 Quote Quote  Modify Modify
Welcome to the forum Tawanda70
 
Please post on this thread a newly run HJT scan log.  Just copy/paste the log here in your next post.
« Last Edit: Nov 2nd, 2007, 7:21am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #2 on: Nov 2nd, 2007, 7:48am »		 Quote Quote  Modify Modify
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:23 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Caroline\Desktop\HiJackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.ex e (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.ex e (User 'Default user')
O4 - S-1-5-18 Startup: infos.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: infos.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYU S
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?99ebc546a5004db7ae7a129a6 998e63e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?99ebc546a5004db7ae7a129a6 998e63e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitial Setup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerIns taller.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcc_device -   - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
--
End of file - 13701 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: TH Not Completely Removing Trojan(s)
« Reply #3 on: Nov 2nd, 2007, 8:18am »		 Quote Quote  Modify Modify
Okay, please do the following.
 
Make all your files and folders visible
 
Please go to the link below and follow the procedure to make all your files and folders visible.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
Submit the following files to Mischel Internet Security for analysis.
 
Please send in the following files for analysis by Gavin and Magnus.  
 

sulimo.dat
ntos.exe
autos.exe
infos.exe
winter.exe
mwsoemon.exe
MWSBAR.DLL

 
The link below describes how to submit files.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Please go ahead and submit these files and then come on back here for further instructions.  I will work on these instructions while you are submitting files.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: TH Not Completely Removing Trojan(s)
« Reply #4 on: Nov 2nd, 2007, 8:27am »		 Quote Quote  Modify Modify
Once you have the above files submitted, please download and save to your desktop Dr. Web CureIt from the link below.
 
http://www.freedrweb.com/cureit/
 
1.  Reboot your computer into SAFE MODE
 
2.  Run a FULL system scan using Dr. Web CureIt.  Let it clean what it finds.
 
3.  Reboot your computer back into Normal Mode
 
4.  Post back here the scan/cleaning log from Dr. Web CureIt.
 
5.  Post back here a new HJT log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #5 on: Nov 2nd, 2007, 10:10am »		 Quote Quote  Modify Modify
as i said in the email, am unable to find 5 of the 7 files requested. i did send the other two (winter.exe and sulimo.exe). even doing a search yielded me no results on the others. i also noticed that i get an error when i first start up the computer saying MWSBAR.DLL cannot be found (which is one of the files you asked me to send). shall i continue with the previous instructions you gave me?  Undecided
IP Logged
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #6 on: Nov 2nd, 2007, 10:39am »		 Quote Quote  Modify Modify
ok well i so apologize for having difficulty finding all the files, but am emailing the last 3 that were hiding in userinit.exe and will begin the next steps to recovery, lol  Embarassed
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: TH Not Completely Removing Trojan(s)
« Reply #7 on: Nov 2nd, 2007, 10:45am »		 Quote Quote  Modify Modify
Okay  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #8 on: Nov 2nd, 2007, 1:22pm »		 Quote Quote  Modify Modify
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:45 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Caroline\Desktop\HiJackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.ex e (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.ex e (User 'Default user')
O4 - S-1-5-18 Startup: infos.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: infos.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: autos.zip
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYU S
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?99ebc546a5004db7ae7a129a6 998e63e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?99ebc546a5004db7ae7a129a6 998e63e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitial Setup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerIns taller.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcc_device -   - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
--
End of file - 13775 bytes
IP Logged
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #9 on: Nov 2nd, 2007, 1:27pm »		 Quote Quote  Modify Modify
======================================================================== =====
Dr.Web(R) Scanner for Windows v4.44.0 (4.44.0.09140)
Copyright (c) Igor Daniloff, 1992-2007
Log generated on: 2007-11-02, 12:57:31 [OFFICE][Caroline]
Command-line: "C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\setup.exe" /lng /ini:setup_XP.ini
Operating system:Windows XP Home Edition x86 (Build 2600), Service Pack 2
======================================================================== =====
DwShield started
Engine version: 4.44 (4.44.0.09170)
Engine API version: 2.02
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 1114 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44411.cdb - 1582 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44410.cdb - 1131 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44409.cdb - 2303 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44408.cdb - 3904 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44407.cdb - 2456 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44406.cdb - 4411 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44405.cdb - 1311 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44404.cdb - 2486 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44403.cdb - 4462 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44402.cdb - 94 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44401.cdb - 557 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44400.cdb - 945 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 209466 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 148 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 24 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\cwn44401.cdb - 698 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 2747 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 13534 virus records
Total virus records: 253373
Key file: C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\setup.key
License key number: 0010092936
Registered to: Dr.Web CureIt Project
License key activates on: 2007-02-05
License key expires on: 2010-02-11
 
[Scan path] c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{01c3afd2-ba8a-418d-8648-f5f287962b8a}\mpengine.dll
[Scan path] c:\documents and settings\all users\start menu\programs\startup\autos.exe
[Scan path] c:\documents and settings\all users\start menu\programs\startup\autos.zip
[Scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\all users\start menu\programs\startup\digital line detect.lnk
[Scan path] c:\documents and settings\all users\start menu\programs\startup\exif launcher.lnk
[Scan path] c:\documents and settings\caroline\desktop\cureit.exe
[Scan path] c:\documents and settings\caroline\local settings\temp\rarsfx0\_start.exe
[Scan path] c:\documents and settings\caroline\local settings\temp\rarsfx0\dwebllio.dll
[Scan path] c:\documents and settings\caroline\local settings\temp\rarsfx0\setup.exe
[Scan path] c:\documents and settings\caroline\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\caroline\start menu\programs\startup\infos.exe
[Scan path] c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
[Scan path] c:\program files\adobe\acrobat 7.0\reader\adobeupdatemanager.exe
[Scan path] c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
[Scan path] c:\program files\advanced registry optimizer\aro.exe
[Scan path] c:\program files\ati technologies\ati control panel\atiptaxx.exe
[Scan path] c:\program files\common files\aol\acs\aolacsd.exe
[Scan path] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
[Scan path] c:\program files\common files\installshield\updateservice\issch.exe
[Scan path] c:\program files\common files\installshield\updateservice\isuspm.exe
[Scan path] c:\program files\common files\logishrd\lcommgr\communications_helper.exe
[Scan path] c:\program files\common files\logishrd\lvcomser\lvcomser.exe
[Scan path] c:\program files\common files\logishrd\lvmvfm\lvprcsrv.exe
[Scan path] c:\program files\common files\logishrd\srvlnch\srvlnch.exe
[Scan path] c:\program files\common files\microsoft shared\information retrieval\msitss.dll
[Scan path] c:\program files\common files\microsoft shared\office11\msoxmlmf.dll
[Scan path] c:\program files\common files\microsoft shared\source engine\ose.exe
[Scan path] c:\program files\common files\microsoft shared\vs7debug\mdm.exe
[Scan path] c:\program files\common files\microsoft shared\web components\11\owc11.dll
[Scan path] c:\program files\common files\microsoft shared\web folders\msonsext.dll
[Scan path] c:\program files\common files\system\ole db\oledb32.dll
[Scan path] c:\program files\dell photo aio printer 924\dlccmon.exe
[Scan path] c:\program files\dellsupport\brkrsvc.exe
[Scan path] c:\program files\dellsupport\dsagnt.exe
[Scan path] c:\program files\dellsupport\gtaction\triggers\dsproct.sys
[Scan path] c:\program files\enigma software group\spyhunter\spyhunter.exe
[Scan path] c:\program files\google\common\google updater\googleupdaterservice.exe
[Scan path] c:\program files\google\google desktop search\googledesktop.exe
[Scan path] c:\program files\google\googletoolbar5.dll
[Scan path] c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
[Scan path] c:\program files\intel\prosetwired\ncs\sync\netsvc.exe
[Scan path] c:\program files\ipod\bin\ipodservice.exe
[Scan path] c:\program files\itunes\ituneshelper.exe
[Scan path] c:\program files\itunes\itunesminiplayer.dll
[Scan path] c:\program files\java\jre1.6.0_03\bin\jusched.exe
[Scan path] c:\program files\lavasoft\ad-aware 2007\aawservice.exe
IP Logged
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #10 on: Nov 2nd, 2007, 1:29pm »		 Quote Quote  Modify Modify
[Scan path] c:\program files\lavasoft\ad-aware 2007\ceapi.dll
[Scan path] c:\program files\lavasoft\ad-aware 2007\pkarchive84cb.dll
[Scan path] c:\program files\lavasoft\ad-aware 2007\update.dll
[Scan path] c:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll
[Scan path] c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe
[Scan path] c:\program files\logitech\quickcam\quickcam.exe
[Scan path] c:\program files\mcafee.com\agent\mcagent.exe
[Scan path] c:\program files\mcafee.com\agent\mcdetect.exe
[Scan path] c:\program files\mcafee.com\agent\mctskshd.exe
[Scan path] c:\program files\mcafee.com\agent\mcupdate.exe
[Scan path] c:\program files\mcafee.com\agent\mcupdmgr.exe
[Scan path] c:\program files\mcafee.com\personal firewall\mpfservice.exe
[Scan path] c:\program files\mcafee.com\personal firewall\mpftray.exe
[Scan path] c:\program files\mcafee.com\vso\mcmnhdlr.exe
[Scan path] c:\program files\mcafee.com\vso\mcvsshl.dll
[Scan path] c:\program files\mcafee.com\vso\mcvsshld.exe
[Scan path] c:\program files\mcafee.com\vso\oasclnt.exe
[Scan path] c:\program files\mcafee\spamkiller\mskagent.exe
[Scan path] c:\program files\mcafee\spamkiller\mskdetct.exe
[Scan path] c:\program files\mcafee\spamkiller\msksrvr.exe
[Scan path] c:\program files\messenger\msmsgs.exe
[Scan path] c:\program files\microsoft office\office11\mlshext.dll
[Scan path] c:\program files\microsoft office\office11\msohev.dll
[Scan path] c:\program files\microsoft office\office11\olkfstub.dll
[Scan path] c:\program files\outlook express\setup50.exe
[Scan path] c:\program files\outlook express\wabfind.dll
[Scan path] c:\program files\quicktime\qttask.exe
[Scan path] c:\program files\regshave\regshave.exe
[Scan path] c:\program files\superantispyware\sasdifsv.sys
[Scan path] c:\program files\superantispyware\sasenum.sys
[Scan path] c:\program files\superantispyware\saskutil.sys
[Scan path] c:\program files\superantispyware\sasseh.dll
[Scan path] c:\program files\superantispyware\saswinlo.dll
[Scan path] c:\program files\superantispyware\superantispyware.exe
------------------------------------------------------------------------ -----
Scan statistics
------------------------------------------------------------------------ -----
Objects scanned: 87
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 2028 Kb/s
Scan time: 00:00:24
------------------------------------------------------------------------ -----
 
Scanning interrupted by user! - no viruses found
======================================================================== =====
Total session statistics
======================================================================== =====
Objects scanned: 87
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 2028 Kb/s
Scan time: 00:00:24
======================================================================== =====
 
======================================================================== =====
Dr.Web(R) Scanner for Windows v4.44.0 (4.44.0.09140)
Copyright (c) Igor Daniloff, 1992-2007
Log generated on: 2007-11-02, 12:59:18 [OFFICE][Caroline]
Command-line: "C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\setup.exe" /lng /ini:setup_XP.ini
Operating system:Windows XP Home Edition x86 (Build 2600), Service Pack 2
======================================================================== =====
DwShield started
Engine version: 4.44 (4.44.0.09170)
Engine API version: 2.02
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 1114 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44411.cdb - 1582 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44410.cdb - 1131 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44409.cdb - 2303 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44408.cdb - 3904 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44407.cdb - 2456 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44406.cdb - 4411 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44405.cdb - 1311 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44404.cdb - 2486 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44403.cdb - 4462 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44402.cdb - 94 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44401.cdb - 557 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crw44400.cdb - 945 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 209466 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 148 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 24 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\cwn44401.cdb - 698 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 2747 virus records
[Virus database] C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 13534 virus records
Total virus records: 253373
Key file: C:\DOCUME~1\Caroline\LOCALS~1\Temp\RarSFX0\setup.key
License key number: 0010092936
Registered to: Dr.Web CureIt Project
License key activates on: 2007-02-05
License key expires on: 2010-02-11
 
IP Logged
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #11 on: Nov 2nd, 2007, 1:39pm »		 Quote Quote  Modify Modify
[Scan path] c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{01c3afd2-ba8a-418d-8648-f5f287962b8a}\mpengine.dll
[Scan path] c:\documents and settings\all users\start menu\programs\startup\autos.exe
[Scan path] c:\documents and settings\all users\start menu\programs\startup\autos.zip
[Scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\all users\start menu\programs\startup\digital line detect.lnk
[Scan path] c:\documents and settings\all users\start menu\programs\startup\exif launcher.lnk
[Scan path] c:\documents and settings\caroline\desktop\cureit.exe
[Scan path] c:\documents and settings\caroline\local settings\temp\rarsfx0\_start.exe
[Scan path] c:\documents and settings\caroline\local settings\temp\rarsfx0\dwebllio.dll
[Scan path] c:\documents and settings\caroline\local settings\temp\rarsfx0\setup.exe
[Scan path] c:\documents and settings\caroline\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\caroline\start menu\programs\startup\infos.exe
[Scan path] c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
[Scan path] c:\program files\adobe\acrobat 7.0\reader\adobeupdatemanager.exe
[Scan path] c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
[Scan path] c:\program files\advanced registry optimizer\aro.exe
[Scan path] c:\program files\ati technologies\ati control panel\atiptaxx.exe
[Scan path] c:\program files\common files\aol\acs\aolacsd.exe
[Scan path] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
[Scan path] c:\program files\common files\installshield\updateservice\issch.exe
[Scan path] c:\program files\common files\installshield\updateservice\isuspm.exe
[Scan path] c:\program files\common files\logishrd\lcommgr\communications_helper.exe
[Scan path] c:\program files\common files\logishrd\lvcomser\lvcomser.exe
[Scan path] c:\program files\common files\logishrd\lvmvfm\lvprcsrv.exe
[Scan path] c:\program files\common files\logishrd\srvlnch\srvlnch.exe
[Scan path] c:\program files\common files\microsoft shared\information retrieval\msitss.dll
[Scan path] c:\program files\common files\microsoft shared\office11\msoxmlmf.dll
[Scan path] c:\program files\common files\microsoft shared\source engine\ose.exe
[Scan path] c:\program files\common files\microsoft shared\vs7debug\mdm.exe
[Scan path] c:\program files\common files\microsoft shared\web components\11\owc11.dll
[Scan path] c:\program files\common files\microsoft shared\web folders\msonsext.dll
[Scan path] c:\program files\common files\system\ole db\oledb32.dll
[Scan path] c:\program files\dell photo aio printer 924\dlccmon.exe
[Scan path] c:\program files\dellsupport\brkrsvc.exe
[Scan path] c:\program files\dellsupport\dsagnt.exe
[Scan path] c:\program files\dellsupport\gtaction\triggers\dsproct.sys
[Scan path] c:\program files\enigma software group\spyhunter\spyhunter.exe
[Scan path] c:\program files\google\common\google updater\googleupdaterservice.exe
[Scan path] c:\program files\google\google desktop search\googledesktop.exe
[Scan path] c:\program files\google\googletoolbar5.dll
[Scan path] c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
[Scan path] c:\program files\intel\prosetwired\ncs\sync\netsvc.exe
[Scan path] c:\program files\ipod\bin\ipodservice.exe
[Scan path] c:\program files\itunes\ituneshelper.exe
[Scan path] c:\program files\itunes\itunesminiplayer.dll
[Scan path] c:\program files\java\jre1.6.0_03\bin\jusched.exe
[Scan path] c:\program files\lavasoft\ad-aware 2007\aawservice.exe
[Scan path] c:\program files\lavasoft\ad-aware 2007\ceapi.dll
[Scan path] c:\program files\lavasoft\ad-aware 2007\pkarchive84cb.dll
[Scan path] c:\program files\lavasoft\ad-aware 2007\update.dll
[Scan path] c:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll
[Scan path] c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe
[Scan path] c:\program files\logitech\quickcam\quickcam.exe
[Scan path] c:\program files\mcafee.com\agent\mcagent.exe
[Scan path] c:\program files\mcafee.com\agent\mcdetect.exe
[Scan path] c:\program files\mcafee.com\agent\mctskshd.exe
[Scan path] c:\program files\mcafee.com\agent\mcupdate.exe
[Scan path] c:\program files\mcafee.com\agent\mcupdmgr.exe
[Scan path] c:\program files\mcafee.com\personal firewall\mpfservice.exe
[Scan path] c:\program files\mcafee.com\personal firewall\mpftray.exe
[Scan path] c:\program files\mcafee.com\vso\mcmnhdlr.exe
[Scan path] c:\program files\mcafee.com\vso\mcvsshl.dll
[Scan path] c:\program files\mcafee.com\vso\mcvsshld.exe
[Scan path] c:\program files\mcafee.com\vso\oasclnt.exe
[Scan path] c:\program files\mcafee\spamkiller\mskagent.exe
[Scan path] c:\program files\mcafee\spamkiller\mskdetct.exe
[Scan path] c:\program files\mcafee\spamkiller\msksrvr.exe
[Scan path] c:\program files\messenger\msmsgs.exe
[Scan path] c:\program files\microsoft office\office11\mlshext.dll
[Scan path] c:\program files\microsoft office\office11\msohev.dll
[Scan path] c:\program files\microsoft office\office11\olkfstub.dll
[Scan path] c:\program files\outlook express\setup50.exe
[Scan path] c:\program files\outlook express\wabfind.dll
[Scan path] c:\program files\quicktime\qttask.exe
[Scan path] c:\program files\regshave\regshave.exe
[Scan path] c:\program files\superantispyware\sasdifsv.sys
[Scan path] c:\program files\superantispyware\sasenum.sys
[Scan path] c:\program files\superantispyware\saskutil.sys
[Scan path] c:\program files\superantispyware\sasseh.dll
[Scan path] c:\program files\superantispyware\saswinlo.dll
[Scan path] c:\program files\superantispyware\superantispyware.exe
[Scan path] c:\program files\the weather channel fw\desktop weather\desktopweather.exe
[Scan path] c:\program files\trojanhunter 5.0\contmenu.dll
[Scan path] c:\program files\trojanhunter 5.0\thguard.exe
[Scan path] c:\program files\viewpoint\common\viewpointservice.exe
[Scan path] c:\program files\windows defender\mpclient.dll
[Scan path] c:\program files\windows defender\mprtplug.dll
[Scan path] c:\program files\windows defender\mpshhook.dll
[Scan path] c:\program files\windows defender\mpsvc.dll
[Scan path] c:\program files\windows defender\msascui.exe
[Scan path] c:\program files\windows defender\msmpeng.exe
[Scan path] c:\program files\windows live toolbar\msntb.dll
[Scan path] c:\program files\windows media player\wmpnetwk.exe
IP Logged
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #12 on: Nov 2nd, 2007, 1:50pm »		 Quote Quote  Modify Modify
this is ridiculously long. am going to email the whole cureit log instead. Shocked
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: TH Not Completely Removing Trojan(s)
« Reply #13 on: Nov 2nd, 2007, 2:49pm »		 Quote Quote  Modify Modify
Something looks very wrong with Cureit's scan.  Let's go a different route.
 
1.  Go to the link below and download ComboFix.exe and save it on your desktop.
 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
 
2.  Then de-activate all your security programs except your software firewall.  
 
3.  Double click combofix.exe & follow the prompts.  
 
When finished, it will produce a log for you.  
 
Note:
 
Do not mouseclick combofix's window while it is running. That may cause it to stall.  
 
4.  Post the Combofix log results back here please.
 
5.  Then do a REMOTE Scan with BitDefender.  Be sure to keep your other security programs deactivated during its scan.  
 
http://www.bitdefender.com/scan8/ie.html
 
6.  Post back here the results of the BitDefender scan.
 
7.  Post a new HJT scan log also.
 
Did you intentionally install MyWebSearch?
« Last Edit: Nov 2nd, 2007, 2:59pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Tawanda70
Newbie
*





   


Gender: female
 Posts: 34
Re: TH Not Completely Removing Trojan(s)
« Reply #14 on: Nov 2nd, 2007, 3:35pm »		 Quote Quote  Modify Modify
MyWebSearch magically appeared. I DO have a child that could be to blame, lol.  
 
De-activate? As in uninstall?
IP Logged
Pages: 1 2 3  4 Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register