eovercash
Thread Starter
- Joined
- Jul 6, 2005
- Messages
- 11
Please help with this problem that just won't go away. Last week, I deleted over 28,000 infected files on this computer using ewido, ccleaner, adaware, spybot and microsoft antispyware. It took forever to get rid of coolwwwsearch. Now this menace refuses to vacate. This computer was clean last week. Now I come back today and I find about 80 files infected with TrojanDownloader.Agent. I went ahead and deleted them and then got the Hijack This report. Maybe I should have gotten the report first? Anyway, here is the Hijack This report:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:39 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\defptr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Default Printer.lnk = C:\WINDOWS\system32\defptr.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\Software\..\Telephony: DomainName = spartanburgcounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O21 - SSODL: systemie - {CE76D4A4-B32E-4FAC-9E70-B4A712734FC4} - systemie.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\EOVERC~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Advantage Plex Dispatch Service 510 (Ob510dp) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510DP.EXE (file missing)
O23 - Service: Advantage Plex Printing Service 510 (Ob510ps) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510PS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:14:39 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\defptr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Default Printer.lnk = C:\WINDOWS\system32\defptr.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\Software\..\Telephony: DomainName = spartanburgcounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O21 - SSODL: systemie - {CE76D4A4-B32E-4FAC-9E70-B4A712734FC4} - systemie.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\EOVERC~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Advantage Plex Dispatch Service 510 (Ob510dp) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510DP.EXE (file missing)
O23 - Service: Advantage Plex Printing Service 510 (Ob510ps) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510PS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe