1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Antivurus did not finish this cleaning...

Discussion in 'Virus & Other Malware Removal' started by Rosangela, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. Rosangela

    Rosangela Thread Starter

    Joined:
    Apr 20, 2004
    Messages:
    2
    :confused: Dear all,

    First of all, happy you exist!! After many sleepless nights I think I got lucky.

    There is some bug in my system I'm afraid. Suspected that though Norton kept giving me 0-results. A Panda online viruscheck found and removed 2 worms as follows, but I suspect that there is still something going on. Could you check the Hijack This log I am sending below and give me some tip on how to get my system clean for good? Thanks!!!

    Rose-DK

    Panda Online Viruscheck 18th April:

    Trj/Spy.PcGhost.A Disinfected E:\WINNT\system32\NWIZE.EXE
    Trj/Spy.PcGhost.A Disinfected E:\WINNT\system32\pcMsg.dll


    Logfile of HijackThis v1.97.7
    Scan saved at 01:45:05, on 21-04-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\System32\msdtc.exe
    E:\WINNT\system32\cisvc.exe
    E:\Programmer\Symantec\DeepSight Extractor\ExtractorService.exe
    E:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    E:\WINNT\System32\svchost.exe
    E:\Programmer\Ahead\InCD\InCDsrv.exe
    E:\Programmer\Norton Personal Firewall\NISUM.EXE
    E:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    E:\WINNT\system32\regsvc.exe
    E:\WINNT\system32\MSTask.exe
    E:\WINNT\System32\tcpsvcs.exe
    E:\WINNT\system32\slserv.exe
    E:\WINNT\System32\snmp.exe
    E:\WINNT\system32\stisvc.exe
    E:\Programmer\Norton Personal Firewall\SymProxySvc.exe
    E:\WINNT\System32\WBEM\WinMgmt.exe
    E:\WINNT\system32\MsPMSPSv.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\mqsvc.exe
    E:\Programmer\Norton Personal Firewall\NISSERV.EXE
    E:\WINNT\System32\svchost.exe
    E:\WINNT\Explorer.EXE
    E:\Programmer\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    E:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
    E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    E:\Programmer\Norton Personal Firewall\IAMAPP.EXE
    E:\WINNT\system32\hkcmd.exe
    E:\WINNT\system32\LVCOMS.EXE
    E:\Programmer\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    E:\WINNT\system32\HPZipm12.exe
    E:\Programmer\Norton Personal Firewall\ATRACK.EXE
    E:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    E:\WINNT\system32\cidaemon.exe
    E:\WINNT\System32\rsvp.exe
    E:\Programmer\Internet Explorer\IEXPLORE.EXE
    E:\PROGRA~1\WINZIP\winzip32.exe
    E:\Documents and Settings\Administrator\Lokale indstillinger\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LWBMOUSE] E:\Programmer\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    O4 - HKLM\..\Run: [LWBKEYBOARD] E:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
    O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [iamapp] E:\Programmer\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINNT\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVCOMS] E:\WINNT\system32\LVCOMS.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = E:\Programmer\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
    O4 - Global Startup: hp psc 1000 series.lnk = E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = E:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    Note: The log ends with 2 lines of 'O16' regarding my home-bank. I have deleted these as I believe they are not relevant.
     
    Rosangela, Apr 20, 2004
    #1
  2. raybro

    raybro

    Joined:
    Apr 26, 2003
    Messages:
    5,836
    I don't see anything bad in your HJT log. There is a little housekeeping you could do, but no indication of a virus that I can see.

    To do the housekeeping stuff, do this:

    Run a new HJT scan and put a check beside the following objects in the list.

    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

    O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINNT\p_981116.exe /Q:A

    Close all application windows except HJT. Close all browser windows, including this one. Click the Fix Checked button.

    Restart your computer.

    Here are a few more online scans you can run.

    Go Here to run a Symantec virus scan.

    Go Here ] to do an online virus scan with HouseCalls:


    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Go Here and run the Trojan Scan.
     
    raybro, Apr 20, 2004
    #2
  3. Rosangela

    Rosangela Thread Starter

    Joined:
    Apr 20, 2004
    Messages:
    2
    It was a great relief to hear that (y) - will do as you told me and thaks again for taking the time to reply so fast.

    Best regards from Copenhagen

    Rosangela
     
    Rosangela, Apr 21, 2004
    #3
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222428

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice