Antivurus did not finish this cleaning...

[Rosangela]

Dear all,

First of all, happy you exist!! After many sleepless nights I think I got lucky.

There is some bug in my system I'm afraid. Suspected that though Norton kept giving me 0-results. A Panda online viruscheck found and removed 2 worms as follows, but I suspect that there is still something going on. Could you check the Hijack This log I am sending below and give me some tip on how to get my system clean for good? Thanks!!!

Rose-DK

Panda Online Viruscheck 18th April:

Trj/Spy.PcGhost.A Disinfected E:\WINNT\system32\NWIZE.EXE
Trj/Spy.PcGhost.A Disinfected E:\WINNT\system32\pcMsg.dll


Logfile of HijackThis v1.97.7
Scan saved at 01:45:05, on 21-04-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\msdtc.exe
E:\WINNT\system32\cisvc.exe
E:\Programmer\Symantec\DeepSight Extractor\ExtractorService.exe
E:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\WINNT\System32\svchost.exe
E:\Programmer\Ahead\InCD\InCDsrv.exe
E:\Programmer\Norton Personal Firewall\NISUM.EXE
E:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\tcpsvcs.exe
E:\WINNT\system32\slserv.exe
E:\WINNT\System32\snmp.exe
E:\WINNT\system32\stisvc.exe
E:\Programmer\Norton Personal Firewall\SymProxySvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\MsPMSPSv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\mqsvc.exe
E:\Programmer\Norton Personal Firewall\NISSERV.EXE
E:\WINNT\System32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Programmer\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
E:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Programmer\Norton Personal Firewall\IAMAPP.EXE
E:\WINNT\system32\hkcmd.exe
E:\WINNT\system32\LVCOMS.EXE
E:\Programmer\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\WINNT\system32\HPZipm12.exe
E:\Programmer\Norton Personal Firewall\ATRACK.EXE
E:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\WINNT\system32\cidaemon.exe
E:\WINNT\System32\rsvp.exe
E:\Programmer\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Lokale indstillinger\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] E:\Programmer\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] E:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] E:\Programmer\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] E:\WINNT\system32\LVCOMS.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\Programmer\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Note: The log ends with 2 lines of 'O16' regarding my home-bank. I have deleted these as I believe they are not relevant.

 

[raybro]

I don't see anything bad in your HJT log. There is a little housekeeping you could do, but no indication of a virus that I can see.

To do the housekeeping stuff, do this:

Run a new HJT scan and put a check beside the following objects in the list.

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINNT\p_981116.exe /Q:A

Close all application windows except HJT. Close all browser windows, including this one. Click the Fix Checked button.

Restart your computer.

Here are a few more online scans you can run.

Go Here to run a Symantec virus scan.

Go Here ] to do an online virus scan with HouseCalls:


Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Go Here and run the Trojan Scan.

 

[Rosangela]

It was a great relief to hear that - will do as you told me and thaks again for taking the time to reply so fast.

Best regards from Copenhagen

Rosangela