trouble with downloader.trojan

patbrown · 01-23-2005, 03:59 PM

Hello there,
Last week you helped me remove 2 trojan downloader viruses from my computer. At least I think I got rid of them. I have been very ill with a flu virus myself all week and haven't used the computer that much, but every time I scanned with AVG, Ad-Aware, or Spybot all came up clean.
Today I got a email from a friend who said she could not open my mail because it said it had a virus.
I did all the scans again including the on line Panda scan and all was fine. When I scaned with Symantec it said I had 1 file, c:\BACKUP\BTEST4.SCR, it is infected with Downloader.Trojan.
Here is a hijackthis scan I just did, Please help.
Thanks Patricia

Logfile of HijackThis v1.99.0
Scan saved at 5:46:47 PM, on 23/01/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\RSSOFT\RSEDNCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SIMPLE STAR\PHOTOSHOW DELUXE 3\DATA\XTRAS\MSSYSMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\MY MUSIC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSSoft\RSEDNClient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Red Swoosh EDN Client] C:\Program Files\RSSoft\RSEDNClient.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba686...p/RdxIE601.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb08.pogo.com/game/delux...ploader_v6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab

CTSNKY · 01-23-2005, 04:50 PM

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

patbrown · 01-23-2005, 07:13 PM

Hi there,
Here are the results. It wouldn't let me copy the bottom part so I have typed them out for you. Sorry for the delay.
Pat

20:17:55 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
20:17:55 [Init] Started 23-01-05 20:17:55 Canada Central Standard Time (UTC: 6), Internet Time @1137.44
20:17:55 [Init] Loading TDS-3 Systems ...
20:17:55 [Init] Token successfully adjusted.
20:17:55 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
20:17:56 [Init] • Plugins : OK. Loaded 13
20:17:56 [Init] • Exec Protection : Not Installed
20:17:56 [Init] WARNING: Your Radius.TD3 database needs to be updated!
20:17:56 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
20:17:56 [Init] Licensed users can use the Update facility from the TDS menu
20:17:56 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
20:18:06 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
20:18:06 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
20:18:06 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
20:18:18 [Init] TDS-3 Ready. <Pat h@0.0.0.0, 127.0.0.1, 142.165.135.169, 3.0.0.0 - canada>
20:18:18 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php
20:18:18 [TDS] Good evening Pat h.
20:18:27 [Mutex Memory Scan] Started...
20:18:28 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:18:28 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
20:19:01 [CRC32] Started - verifying 29 files ...
20:19:02 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
20:19:03 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
20:19:04 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
20:19:06 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
20:19:06 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
20:19:07 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
20:19:08 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
20:19:08 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
20:19:09 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
20:19:10 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
20:19:10 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
20:19:11 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
20:19:12 [CRC32] Test finished.
20:20:59 [Memory Scan] Memory scan started, please wait a moment ...
20:21:03 [Memory Scan] Memory scan complete.
20:21:03 [Mutex Memory Scan] Started...
20:21:04 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:21:04 [Trace Scan] Started...
20:21:23 [Trace Scan] Finished.
20:21:23 [ServiceScan] Scanning for services and drivers ...
20:21:24 [ServiceScan] Scanned 25 services and drivers.
20:21:24 [File Scan] Scanning in A:\ ...
20:21:32 [File Scan] Scanned 0 files: 0 alarms in 8.132813 seconds (Avg 1. files/sec)
20:21:32 [File Scan] Scanning in C:\ ...
20:50:27 [File Scan] Scanned 28666 files: 2 alarms in 1734.719 seconds (Avg 17.52 files/sec)
20:50:28 [File Scan] Scanning in D:\ ...
20:50:28 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
20:50:28 [Scan] Finished.
20:55:27 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr0.txt

1) Alarm- positive identification (DLL)
Name- Adware.PopCap (dll)
File- c:\windows\downloaded program files\popcap loader.dll

2) Alarm- positive identification
Name- Adware.Locators Dropper
File - c:\backup\btest4.scr
I hope this helps.
Pat

CTSNKY · 01-23-2005, 07:46 PM

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):

c:\windows\downloaded program files\popcap loader.dll
c:\backup\btest4.scr

Reboot and report back with a fresh HJT log.

patbrown · 01-23-2005, 08:23 PM

I downloaded Killbox . The box that says "Unregister .dll before deleting" was grayed out.
The bottom of the screen has a line that says Kernel 32.DLL, I was able to hit the X ok for the c:\backup\btest4.scr, but when I tried the other one a box came up that said Killbox has caused an error in Kernel32.DLL, Killbox will now close, with the only option being to close it. They both said that the files would be deleted upon reboot, but it never asked if I wanted to reboot.Help.
Thanks Pat

CTSNKY · 01-23-2005, 08:26 PM

Go ahead and reboot. Then post a fresh HJT log with a report on your current status.

patbrown · 01-23-2005, 08:45 PM

Hello there,
Just a note, I had been running scans all day and at some point earlier on I had disabled system restore. I have enabled it now. Sorry I hope thai didn't screw anything up. Thanks so much for all your help and patience.
Pat

Logfile of HijackThis v1.99.0
Scan saved at 3:30:35 PM, on 16/01/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\MY DOCUMENTS\MY MUSIC\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSSoft\RSEDNClient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba686...p/RdxIE601.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb08.pogo.com/game/delux...ploader_v6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

CTSNKY · 01-23-2005, 08:51 PM

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

patbrown · 01-23-2005, 09:03 PM

I haven't tried anything as yet, but I just wanted to thank you from the bottom of my heart for all your help. I don't know what I would have done without you.
I have gone to the link you gave me and have read it all twice. This is probably a stupid question but how do these things get on my computer to begin with? I have AVG, Spybot, and Ad-aware. My husband being a musician used to go to music sites but no more, (not after seeing all my stress last weekend). The most exciting place I go is to pogo to play games and to read my email.
IF you think it is this I will stop going there as well.
Thanks again,
Pat

greyknight17 · 01-24-2005, 09:38 AM

These things have their way of sneaking in. You could have caught it from browsing a website/ad, downloading/installing a program or opening up an email. By installing those prevention programs, this will help cut back the chances of being reinfected again.

01-23-2005, 03:59 PM	#1 (permalink)
patbrown Registered User Join Date: Jan 2005 Posts: 23 OS: win me	trouble with downloader.trojan Hello there, Last week you helped me remove 2 trojan downloader viruses from my computer. At least I think I got rid of them. I have been very ill with a flu virus myself all week and haven't used the computer that much, but every time I scanned with AVG, Ad-Aware, or Spybot all came up clean. Today I got a email from a friend who said she could not open my mail because it said it had a virus. I did all the scans again including the on line Panda scan and all was fine. When I scaned with Symantec it said I had 1 file, c:\BACKUP\BTEST4.SCR, it is infected with Downloader.Trojan. Here is a hijackthis scan I just did, Please help. Thanks Patricia Logfile of HijackThis v1.99.0 Scan saved at 5:46:47 PM, on 23/01/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE C:\PROGRAM FILES\RSSOFT\RSEDNCLIENT.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\SIMPLE STAR\PHOTOSHOW DELUXE 3\DATA\XTRAS\MSSYSMGR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\MY DOCUMENTS\MY MUSIC\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSSoft\RSEDNClient.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet O4 - HKCU\..\RunServices: [Red Swoosh EDN Client] C:\Program Files\RSSoft\RSEDNClient.exe O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\RunServices: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - Trusted Zone: .musicmatch.com O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba686...p/RdxIE601.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb08.pogo.com/game/delux...ploader_v6.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab

01-23-2005, 04:50 PM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ GO BIG BLUE!!

01-23-2005, 07:13 PM	#3 (permalink)
patbrown Registered User Join Date: Jan 2005 Posts: 23 OS: win me	tds3 scan results Hi there, Here are the results. It wouldn't let me copy the bottom part so I have typed them out for you. Sorry for the delay. Pat 20:17:55 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 20:17:55 [Init] Started 23-01-05 20:17:55 Canada Central Standard Time (UTC: 6), Internet Time @1137.44 20:17:55 [Init] Loading TDS-3 Systems ... 20:17:55 [Init] Token successfully adjusted. 20:17:55 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 20:17:56 [Init] • Plugins : OK. Loaded 13 20:17:56 [Init] • Exec Protection : Not Installed 20:17:56 [Init] WARNING: Your Radius.TD3 database needs to be updated! 20:17:56 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 20:17:56 [Init] Licensed users can use the Update facility from the TDS menu 20:17:56 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 20:18:06 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 20:18:06 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 20:18:06 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 20:18:18 [Init] TDS-3 Ready. <Pat h@0.0.0.0, 127.0.0.1, 142.165.135.169, 3.0.0.0 - canada> 20:18:18 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php 20:18:18 [TDS] Good evening Pat h. 20:18:27 [Mutex Memory Scan] Started... 20:18:28 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:18:28 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 20:19:01 [CRC32] Started - verifying 29 files ... 20:19:02 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe 20:19:03 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe 20:19:04 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe 20:19:06 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe 20:19:06 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe 20:19:07 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe 20:19:08 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe 20:19:08 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe 20:19:09 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe 20:19:10 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe 20:19:10 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll 20:19:11 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll 20:19:12 [CRC32] Test finished. 20:20:59 [Memory Scan] Memory scan started, please wait a moment ... 20:21:03 [Memory Scan] Memory scan complete. 20:21:03 [Mutex Memory Scan] Started... 20:21:04 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:21:04 [Trace Scan] Started... 20:21:23 [Trace Scan] Finished. 20:21:23 [ServiceScan] Scanning for services and drivers ... 20:21:24 [ServiceScan] Scanned 25 services and drivers. 20:21:24 [File Scan] Scanning in A:\ ... 20:21:32 [File Scan] Scanned 0 files: 0 alarms in 8.132813 seconds (Avg 1. files/sec) 20:21:32 [File Scan] Scanning in C:\ ... 20:50:27 [File Scan] Scanned 28666 files: 2 alarms in 1734.719 seconds (Avg 17.52 files/sec) 20:50:28 [File Scan] Scanning in D:\ ... 20:50:28 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec) 20:50:28 [Scan] Finished. 20:55:27 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr0.txt 1) Alarm- positive identification (DLL) Name- Adware.PopCap (dll) File- c:\windows\downloaded program files\popcap loader.dll 2) Alarm- positive identification Name- Adware.Locators Dropper File - c:\backup\btest4.scr I hope this helps. Pat

01-23-2005, 07:46 PM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete): c:\windows\downloaded program files\popcap loader.dll c:\backup\btest4.scr Reboot and report back with a fresh HJT log. __________________ GO BIG BLUE!!

01-23-2005, 08:23 PM	#5 (permalink)
patbrown Registered User Join Date: Jan 2005 Posts: 23 OS: win me	problem I downloaded Killbox . The box that says "Unregister .dll before deleting" was grayed out. The bottom of the screen has a line that says Kernel 32.DLL, I was able to hit the X ok for the c:\backup\btest4.scr, but when I tried the other one a box came up that said Killbox has caused an error in Kernel32.DLL, Killbox will now close, with the only option being to close it. They both said that the files would be deleted upon reboot, but it never asked if I wanted to reboot.Help. Thanks Pat

01-23-2005, 08:26 PM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Go ahead and reboot. Then post a fresh HJT log with a report on your current status. __________________ GO BIG BLUE!!

01-23-2005, 08:45 PM	#7 (permalink)
patbrown Registered User Join Date: Jan 2005 Posts: 23 OS: win me	hijackthis log Hello there, Just a note, I had been running scans all day and at some point earlier on I had disabled system restore. I have enabled it now. Sorry I hope thai didn't screw anything up. Thanks so much for all your help and patience. Pat Logfile of HijackThis v1.99.0 Scan saved at 3:30:35 PM, on 16/01/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\MY DOCUMENTS\MY MUSIC\HIJACKTHIS.EXE C:\WINDOWS\SYSTEM\STIMON.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSSoft\RSEDNClient.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - Trusted Zone: .musicmatch.com O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba686...p/RdxIE601.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb08.pogo.com/game/delux...ploader_v6.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB Last edited by CTSNKY : 01-23-2005 at 08:50 PM.

01-23-2005, 08:51 PM	#8 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ GO BIG BLUE!!

01-23-2005, 09:03 PM	#9 (permalink)
patbrown Registered User Join Date: Jan 2005 Posts: 23 OS: win me	Thanks I haven't tried anything as yet, but I just wanted to thank you from the bottom of my heart for all your help. I don't know what I would have done without you. I have gone to the link you gave me and have read it all twice. This is probably a stupid question but how do these things get on my computer to begin with? I have AVG, Spybot, and Ad-aware. My husband being a musician used to go to music sites but no more, (not after seeing all my stress last weekend). The most exciting place I go is to pogo to play games and to read my email. IF you think it is this I will stop going there as well. Thanks again, Pat

01-24-2005, 09:38 AM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	These things have their way of sneaking in. You could have caught it from browsing a website/ad, downloading/installing a program or opening up an email. By installing those prevention programs, this will help cut back the chances of being reinfected again. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools Last edited by greyknight17 : 01-24-2005 at 09:40 AM.