Tech Support Forum - View Single Post - Not able to remove a file from add/remove programs

d12eamer · 03-01-2005, 11:36 PM

this one if from the HijackThis Analyzer...

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:47:00 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Verizon Online\SFP\vzNetSvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozingsurveys.com/survey_...ivesurveys.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...7.NH3&N=PL&O=I
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.EXE 2******
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://jobs.spb.ca.gov/Codebase/FormCtl.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://jobs.spb.ca.gov/codebase/plsspeller.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {7936F65B-5993-4CB3-96E2-E2DB0B781E10} - http://download.kerclink.com:8080/KERclinkInstall.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://inboxdollars.skilljam.com/ssp/SSP.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://jobs.spb.ca.gov/codebase/fontinstaller.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

End of KRC HijackThis Analyzer Log.
====================================================================

this one is from TDS3...

21:57:52 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
21:57:52 [Init] Started 01-03-05 21:57:52 Pacific Standard Time (UTC: 8), Internet Time @1290.19
21:57:52 [Init] Loading TDS-3 Systems ...
21:57:52 [Init] Token successfully adjusted.
21:57:52 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
21:57:52 [Init] • Plugins : OK. Loaded 13
21:57:52 [Init] • Exec Protection : Not Installed
21:57:52 [Init] WARNING: Your Radius.TD3 database needs to be updated!
21:57:52 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
21:57:52 [Init] Licensed users can use the Update facility from the TDS menu
21:57:52 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
21:57:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
21:57:59 [Init] • Systems Initialised [48274 references - 23876 primaries/12224 traces/12174 variants/other]
21:57:59 [Init] Radius Systems loaded. <Databases updated 01-03-2005>
21:57:59 [Init] TDS-3 Ready. <Rachel@192.168.1.101, 127.0.0.1 - United States>
21:57:59 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control.
21:57:59 [TDS] Good evening Rachel.
21:58:02 [Mutex Memory Scan] Started...
21:58:04 [Mutex Memory Scan] Finished (no trojan mutexes found).
21:58:04 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
21:58:59 [CRC32] Started - verifying 29 files ...
21:59:00 [CRC32] File doesn't exist: C:\autoexec.bat
21:59:06 [CRC32] Test finished.
21:59:51 [Memory Scan] Memory scan started, please wait a moment ...
21:59:51 [Memory Scan] Memory scan complete.
21:59:51 [Mutex Memory Scan] Started...
21:59:53 [Mutex Memory Scan] Finished (no trojan mutexes found).
21:59:53 [Trace Scan] Started...
22:00:01 [Trace Scan] Finished.
22:00:01 [ServiceScan] Scanning for services and drivers ...
22:00:07 [ServiceScan] Scanned 326 services and drivers.
22:00:07 [File Scan] Scanning in A:\ ...
22:00:08 [File Scan] Scanned 0 files: 0 alarms in 1.125 seconds (Avg 1. files/sec)
22:00:08 [File Scan] Scanning in C:\ ...
22:34:18 [File Scan] Scanned 48056 files: 8 alarms in 2049.656 seconds (Avg 24.45 files/sec)
22:34:18 [File Scan] Scanning in D:\ ...
22:34:18 [File Scan] Scanned 0 files: 8 alarms in 0.046875 seconds (Avg 1. files/sec)
22:34:18 [Scan] Finished.

the alarms...

Scan Control Dumped @ 22:35:40 01-03-05
Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Positive identification: TrojanDownloader.Win32.TSUpdate.g2
File: c:\program files\common files\tsa\tsl2.exe

Positive identification: TrojanDownloader.Win32.TSUpdate.g1
File: c:\program files\common files\tsa\tsp2.exe

Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\discover.hta

Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\lnpg.hta

Positive identification (DLL): Adware.WinAD.f (dll)
File: c:\program files\windows adservice\winadmaster.dll

Positive identification (DLL): Adware.OTXMedia (dll)
File: c:\windows\downloaded program files\otxmedia.dll

Positive identification (DLL): Riskware.Downloader.OTXloader (dll)
File: c:\windows\downloaded program files\preloader.dll

03-01-2005, 11:36 PM	#6 (permalink)
d12eamer Registered User Join Date: Feb 2005 Posts: 6 OS: WinXP	this one if from the HijackThis Analyzer... ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:47:00 PM, on 3/1/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Common Files\Verizon Online\SFP\vzNetSvc.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozingsurveys.com/survey_...ivesurveys.asp R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...7.NH3&N=PL&O=I R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.EXE 2****** O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://jobs.spb.ca.gov/Codebase/FormCtl.cab O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://jobs.spb.ca.gov/codebase/plsspeller.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll O16 - DPF: {7936F65B-5993-4CB3-96E2-E2DB0B781E10} - http://download.kerclink.com:8080/KERclinkInstall.cab O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://inboxdollars.skilljam.com/ssp/SSP.cab O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) - O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://jobs.spb.ca.gov/codebase/fontinstaller.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe End of KRC HijackThis Analyzer Log. ==================================================================== this one is from TDS3... 21:57:52 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 21:57:52 [Init] Started 01-03-05 21:57:52 Pacific Standard Time (UTC: 8), Internet Time @1290.19 21:57:52 [Init] Loading TDS-3 Systems ... 21:57:52 [Init] Token successfully adjusted. 21:57:52 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 21:57:52 [Init] • Plugins : OK. Loaded 13 21:57:52 [Init] • Exec Protection : Not Installed 21:57:52 [Init] WARNING: Your Radius.TD3 database needs to be updated! 21:57:52 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 21:57:52 [Init] Licensed users can use the Update facility from the TDS menu 21:57:52 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 21:57:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 21:57:59 [Init] • Systems Initialised [48274 references - 23876 primaries/12224 traces/12174 variants/other] 21:57:59 [Init] Radius Systems loaded. <Databases updated 01-03-2005> 21:57:59 [Init] TDS-3 Ready. <Rachel@192.168.1.101, 127.0.0.1 - United States> 21:57:59 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control. 21:57:59 [TDS] Good evening Rachel. 21:58:02 [Mutex Memory Scan] Started... 21:58:04 [Mutex Memory Scan] Finished (no trojan mutexes found). 21:58:04 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 21:58:59 [CRC32] Started - verifying 29 files ... 21:59:00 [CRC32] File doesn't exist: C:\autoexec.bat 21:59:06 [CRC32] Test finished. 21:59:51 [Memory Scan] Memory scan started, please wait a moment ... 21:59:51 [Memory Scan] Memory scan complete. 21:59:51 [Mutex Memory Scan] Started... 21:59:53 [Mutex Memory Scan] Finished (no trojan mutexes found). 21:59:53 [Trace Scan] Started... 22:00:01 [Trace Scan] Finished. 22:00:01 [ServiceScan] Scanning for services and drivers ... 22:00:07 [ServiceScan] Scanned 326 services and drivers. 22:00:07 [File Scan] Scanning in A:\ ... 22:00:08 [File Scan] Scanned 0 files: 0 alarms in 1.125 seconds (Avg 1. files/sec) 22:00:08 [File Scan] Scanning in C:\ ... 22:34:18 [File Scan] Scanned 48056 files: 8 alarms in 2049.656 seconds (Avg 24.45 files/sec) 22:34:18 [File Scan] Scanning in D:\ ... 22:34:18 [File Scan] Scanned 0 files: 8 alarms in 0.046875 seconds (Avg 1. files/sec) 22:34:18 [Scan] Finished. the alarms... Scan Control Dumped @ 22:35:40 01-03-05 Positive identification (DLL): Adware.MiniBug (dll) File: c:\program files\aws\weatherbug\minibugtransporter.dll Positive identification: TrojanDownloader.Win32.TSUpdate.g2 File: c:\program files\common files\tsa\tsl2.exe Positive identification: TrojanDownloader.Win32.TSUpdate.g1 File: c:\program files\common files\tsa\tsp2.exe Suspicious Filename: HTA file in suspicious location File: c:\program files\microsoft money\system\discover.hta Suspicious Filename: HTA file in suspicious location File: c:\program files\microsoft money\system\lnpg.hta Positive identification (DLL): Adware.WinAD.f (dll) File: c:\program files\windows adservice\winadmaster.dll Positive identification (DLL): Adware.OTXMedia (dll) File: c:\windows\downloaded program files\otxmedia.dll Positive identification (DLL): Riskware.Downloader.OTXloader (dll) File: c:\windows\downloaded program files\preloader.dll