daily trojan (HJT log posted)

Help please

I've run ad-watch and spybot. Everyday a trojan is detected and deleted.
Last time I posted my hijackthis log the administrator locked my note. What am I doing wrong?
Anyway here is my log. What should I delete?
Logfile of HijackThis v1.99.0
Scan saved at 8:40:44 AM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mmups.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Family\LOCALS~1\Temp\Rar$EX07.594\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400 "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [rJRFQXPcj] C:\WINDOWS\jvxwgpy.exe
O4 - HKLM\..\Run: [lofyz] C:\WINDOWS\lofyz.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe "
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097512012359
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Pipsi

 

Hello pipsy,

C:\DOCUME~1\Family\LOCALS~1\Temp\Rar$EX07.594\Hija ckThis.exe

HijackThis should be downloaded to a folder of it's own on the C drive, for example, create a folder C:\HIJACKTHIS and run it from there. Part of the fix is a cleaning out of temp folders, so it can't be in one.

Regards - Charles

 

new log

I downloaded hijackthis to it's own folder on the c drive
here is a new log
Logfile of HijackThis v1.99.0
Scan saved at 10:47:50 AM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mmups.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\AIM\aim.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400 "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [rJRFQXPcj] C:\WINDOWS\jvxwgpy.exe
O4 - HKLM\..\Run: [lofyz] C:\WINDOWS\lofyz.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe "
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097512012359
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

pipsi

 

Hi pipsy,

The red arrow indicates that you're logged on and have posts in the thread. If you hover over it, also gives you the number of posts that are yours in that thread.

This thread will be moved to the appropriate security section by one of the Mods.

Regards - Charles

 

daily deletions

I thought it might help to see what Symantec is finding and deleting when I start up. Should I just leave the computer on all the time?

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\e9nNU6.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:06:10 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\v2EF5d.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:07:12 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\40rMAL.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:08:13 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\vcYTu8.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:09:14 PM


Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\dZBrGD.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:10:14 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\eGAmhF.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:11:15 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\BKBmKT.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:12:15 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\bBQ3DK.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:13:16 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\fAYqGG.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2:14:17 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\DOCUME~1\Family\LOCALS~1\Temp\djCB9b.exe
Location: C:\DOCUME~1\Family\LOCALS~1\Temp
Computer: ATTIC
User: Family
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, January 21, 2005 2

Pipsy

 

Pipsy - I am fairly good on spyware removal but when I started taking a look at your log, I realized I was way in over my head. You are loaded with bad stuff and some of it is tricky so I was afraid all I would do is make it harder for the pros to find all the stuff that needs dealing with.

I'll flag this thread for some expert attention and you should get instructions within a day or so.

 

You should print this out and/or save it to text where you can access it in safe mode. It's very important to follow the instructions completely, and in the order given.

Download and install Ad-aware (link in my signature). Open and check for updates. Close for now.

Download CWShredder 2.0 from here. Save it to the desktop. Double click to install.

Download and install RegSeeker.

Download LSPFix.zip and unzip to it's own folder.

Go to start>run and type services.msc. Locate Wintools in the list, right click and select properties. Stop the service, then set startup type to disabled, click apply and OK out.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rJRFQXPcj] C:\WINDOWS\jvxwgpy.exe
O4 - HKLM\..\Run: [lofyz] C:\WINDOWS\lofyz.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe "
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to you user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files.

Open CWShredder from the new shortcut on the desktop, close ALL other windows and click fix.

Open C:\Program Files and delete the folders Admanager Controller, SED and Toolbar.
Open C:\Program Files\Common files and delete the folder WinTools.
Open C:\WINDOWS and delete the files jvxwgpy.exe, lofyz.exe and mmups.exe.
Open C:\WINDOWS\system32 and delete the folders vmss and wsxsvc.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.

Run Ad-aware in full scan mode. Delete all it finds.

Open LSPFix and place the dolsp.dll in the remove column, check the box I know what I am doing and click finish.

Open RegSeeker. Click find in registry and search the entire registry for WinTools and WTools. Delete all.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

Hey, Newt! Thought you said you were calling in an expert??
Who is this "Dave" guy anyway? What does he know about comp security? Last I heard, he was a multi-boot specialist, with every known flavor of Windows...oh, that's right, so he could infect every drive on his comp at once and compare behavior. Newt, I think the guy needs psychiatric help. He asks people to send him infections! He's one guy you should never put on "auto accept "!!

Pipsy Relax, and follow along with Dave. Ask questions if you don't understand something. You are in very good hands.

Johanna

 

don't have wintools

(Thanks, you are awesome)
CW shredder, and regseeker are on the desktop.
LSPFix is in its own folder on C drive

I got up to service.msc and no Wintools????

advise...
pipsy

 

Just skip that step and proceed with the rest. If you take out all of the Wintools references found with RegSeeker it will remove the service anyway.

 

found suspicious files

I'm on page 2 of your instructions, in safe mode

no Admanager Controller or Toolbar folders
no lofyz.exe in Windows
but found a series of files in Windows all started at the suspicious Jan15 12:16 or 12:17 date:

unstall (comp df)
tempf
m21.oxc(Activex Control)
mm15201518.stub
ssKb5
e2g25
optimize
180ax-gdf (dat file)
180axau(dat file)

no wsxsvc in Windows/System32

and when I try to delete Windows/temp it says 'desktop' is a system file and removing it may cause your computer not to work correctly
desktop is in a few of the folders in there

Should I delete them anyway?
Should I delete the other suspicious files?
Pipsi

 

You can safely remove the desktop.ini files and yes, remove the other files also. Look for folders in Program Files named Internet Optimizer and 180 Solutions and delete if present too.

 

all gone?

Ok a few things

Symantech start up scan found nothing! yeah!

Ad-aware has 665 quarantined files
Should I delete and how?

System config Utility box opens on reboot
says: on diagnostic or selective start up mode.
options to go back to normal start include going back to previous settings
worried will restore stuff

couldn't run Rav says:

Failed to load ActiveX control!
-- You must have administrative rights on this computer;
you also must have the Internet Explorer security settings to the Medium level.
i have my internet settings on medium level

hijack file:
Logfile of HijackThis v1.99.0
Scan saved at 12:05:55 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400 "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097512012359
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

When this is all done and do I turn on system restore?
Should I make a restore point?
Pipsy

 

Open Ad-aware and click the Open quarantine list link. Select and delete.

The system configuration utility popup was a result of using the /safeboot option. Check the box not to show it again and click OK.

Try running Panda ActiveScan.

An entry in the log suggest you have used the startup tab in msconfig to disable some programs. If you know those are OK, leave them, otherwise recheck all entries on the startup tab, reboot and post a new log.

Log looks clean otherwise. If you can get a clean report from an online scan, then do turn system restore back on and create a manual restore point.

Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

That will give you some added layers of protection against unwanted parasites.

 

new log

couldn't run panda activescan
says:
Possible causes of this error are:
Not allowing the application's ActiveX control to be downloaded.
Problems with the Internet connection.
Other causes (consult the FAQs).

I must have a setting blocking it.

everything was checked in the start up tab, but I unchecked and rechecked all and rebooted.


Logfile of HijackThis v1.99.0
Scan saved at 4:23:08 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400 "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097512012359
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

Log looks good. Click the custom level button on security tab and make sure download and run ActiveX are set to enable. Are you getting the yellow bar under your browser telling you an ActiveX is trying to load?

 

I changed the security settings to enable, and ran Panda...it came up empty.
Three cheers!!!! I'll turn on system restore and create a manual restore point.
Didn't notice a yellow bar.
Do I want to leave both download Activex signed and unsigned in enable?

pipsy

 

system restore

I turned system restore back on and made a restore point.

THANK-YOU

For all concerned we think this all began when my daughter downloaded some smileys!!!
Pipsy

 

You should disable unsigned ActiveX controls. Glad to hear you came up clean, and happy to have helped.