Scan Help! Problem WAS Trojan Zonebac

Unknown · December 2006

A few days ago my Norton Anti Virus program found a virus, Trojan.Zonebac that it couldn't get rid of. I have since run Ad Aware, SpyBot, Panda, BitDefender and Kaspersky as well as ATF cleaner - all multiple times. (I do use the spyware removal stuff regularly). It looks like BitDefender actually got the virus. BUT there is still weird stuff going on. Whenever I launch and Internet Explorer Window I get two dialogue box - one that says Windows Istaller and another thats Microsoft Money 2003. I have to quite both several times to make them go away as it starts to 'gather information' from my machine. Also I am getting an error with spybot. I would be very very greatful for some advice to remove the malicious items that are still on my machine. THANK YOU!

Bad spybot message:
Advanced detection library !!!bad checksum!
Detection support library !!bad checksum!

yesterday's Panda Active Scan:

Incident Status Location

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@winantivirus[1].txt
Spyware:Cookie/Winantivirus

Here is the Kaspersky Log:

Friday, December 15, 2006 12:29:24 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/12/2006
Kaspersky Anti-Virus database records: 250885

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\

Scan Statistics
Total number of scanned objects 48844
Number of viruses found 1
Number of infected objects 12 / 0
Number of suspicious objects 0
Duration of the scan process 02:56:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006121420061215\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache62893.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-14_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\2296618C.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\22F84D20.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\234312CD.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\235464BB.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\23783294.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\238B2E7E.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\3197410A.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\329935EE.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\34443217.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\348F77C4.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\34A049B2.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\34AD71A4.htm Infected: Exploit.HTML.Mht skipped

C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{80E4C610-E427-40FD-A74A-07770DD454AE}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

And here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:04 AM, on 12/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plab.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

hilodavey · December 2006

having done some more research on the web I am thinking that perhaps whatever problem i am having - virus, worm, hijack - that it's exploiting my mnyside.dll file - or maybe it that that very file is corrupt.

looking for help!!

SpywareShooter · December 2006

Please do a virus scan at http://virusscan.jotti.org for the following file, and copy and paste the results here.

C:\Program Files\Microsoft Money\System\mnyside.dll

hilodavey · December 2006

Thanks for the assistance!! I visited virusscan site and did the scan on the specified fill and this was the result. This file looks clean. However, my problem persists...

File: mnyside.dll
Status: OK
MD5 d91c44aa02f4e577414ee667edb2e1d8
Packers detected: -

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing

hilodavey · December 2006

I fixed the Spybot Problem by uninstalling v1.3 and reinstalling v1.4. I am STILL having the same problem though in regards to the Microsoft Money 2003 and Windows Installer dialogue boxes launching whenever I launch an Internet Explorer Window or sometimes when I open a file folder (and thus Windows explorer) as well.

I also installed AVG and did a scan and removed a worm. Still the problem though.

HELP!!!!

SpywareShooter · December 2006

Please post a new HijackThis log in case anything has changed since your last one.

hilodavey · December 2006

Here's a fresh Log! Thanks for the help!

Logfile of HijackThis v1.99.1
Scan saved at 11:14:14 AM, on 12/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plab.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Trogan · December 2006

Sorry for the delay. You have a nasty infection on the computer.

Please download this file to your Desktop and run it.

FindAWF

It will produce a log. Please post that here.

hilodavey · December 2006

This is what I feared

Thanks for helping!!
Here is the resulting log:

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/07/2006 08:04p 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/30/2005 06:31p 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 04:11p 54,296 ccApp.exe
12/02/2003 04:11p 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\DELL\ACCESS~1\BAK

11/01/2002 05:47p 208,560 dadapp.exe
1 File(s) 208,560 bytes

Directory of C:\PROGRA~1\MICROS~4\SYSTEM\BAK

07/17/2002 12:00p 200,767 mnyexpr.exe
1 File(s) 200,767 bytes

Directory of C:\PROGRA~1\NORTON~1\ADVTOOLS\BAK

08/26/2002 11:35p 79,480 ADVCHK.EXE
1 File(s) 79,480 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

08/21/2006 04:37p 20,053,032 Skype.exe
1 File(s) 20,053,032 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

10/11/2002 01:29p 561,152 SynTPEnh.exe
10/11/2002 01:30p 126,976 SynTPLpr.exe
2 File(s) 688,128 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/06/2004 02:33p 2,502,656 ypager.exe
1 File(s) 2,502,656 bytes

09/04/2001 04:31p 655,360 DirectCD.exe
1 File(s) 655,360 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/23/2004 12:35p 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\10720~1.364\BAK

09/12/2006 05:59p 155,896 GoogleToolbarNotifier.exe
1 File(s) 155,896 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

77824 Apr 7 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Aug 30 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
208560 Nov 1 2002 "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe"
200767 Jul 17 2002 "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
79480 Aug 26 2002 "C:\Program Files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE"
79480 Sep 4 2002 "C:\Documents and Settings\Administrator\Local Settings\Temp\Norton AntiVirus 2003 Professional\AdvTools\AdvChk.exe"
20053032 Aug 21 2006 "C:\Program Files\Skype\Phone\bak\Skype.exe"
561152 Oct 11 2002 "C:\dell\drivers\R52818\SynTPEnh.exe"
561152 Oct 11 2002 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
126976 Oct 11 2002 "C:\dell\drivers\R52818\SynTPLpr.exe"
126976 Oct 11 2002 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
2502656 Aug 6 2004 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
655360 Sep 4 2001 "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
180269 Sep 23 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
163576 Oct 19 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
155896 Sep 12 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe"

end of report

Trogan · December 2006

Sorry for the delay.

I need to get some advice on this infection. I will post back as soon as possible.

Trogan · December 2006

Hello hilodavey!

You should print out or copy these instructions as the Internet will not be available for part of the fix. Please follow the instructions carefully.

Lets begin...

Download these files to your Desktop. Right-click and select Save Links As (in Firefox) or Save Target As (in IE) to download.

Don't do anything with them yet!
____________________________

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"
if exist "C:\Program Files\SymNetDrv\SNDMon.exe" del /q "C:\Program Files\SymNetDrv\SNDMon.exe"
copy /y "C:\Program Files\SymNetDrv\bak\SNDMon.exe" "C:\Program Files\SymNetDrv\SNDMon.exe"
if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
if exist "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe" "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
if exist "C:\Program Files\Dell\AccessDirect\dadapp.exe" del /q "C:\Program Files\Dell\AccessDirect\dadapp.exe"
copy /y "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe" "C:\Program Files\Dell\AccessDirect\dadapp.exe"
if exist "C:\Program Files\Microsoft Money\System\mnyexpr.exe" del /q "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
copy /y "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe" "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
if exist "C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK.EXE" del /q "C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK.EXE"
copy /y "C:\Program Files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE" "C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK.EXE"
if exist "C:\Program Files\Skype\Phone\Skype.exe" del /q "C:\Program Files\Skype\Phone\Skype.exe"
copy /y "C:\Program Files\Skype\Phone\bak\Skype.exe" "C:\Program Files\Skype\Phone\Skype.exe"
if exist "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" del /q "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
copy /y "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe" "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
if exist "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" del /q "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
copy /y "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe" "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
if exist "C:\Program Files\Yahoo!\Messenger\ypager.exe" del /q "C:\Program Files\Yahoo!\Messenger\ypager.exe"
copy /y "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe" "C:\Program Files\Yahoo!\Messenger\ypager.exe"
if exist "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" del /q "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
copy /y "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe" "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
if exist "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" del /q "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

Go to File > Save As
Save File name as "Fix.bat" (including quotes)
Save the file to your Desktop
____________________________

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

____________________________

Locate Fix.bat on your Desktop and double-click it. A black box will open and close quickly - that is normal!

Reboot back into Normal Mode
____________________________

Locate the two files you downloaded earlier...

Right-click on DelDomains.inf and select install
Right-click on ResetProtocolDefaults.reg and select merge
____________________________

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.

Please post the following...

Kaspersky log
New HijackThis log

hilodavey · December 2006

Thank you for these easy-to-follow instructions Trogan!!
I followed the instructions and here is the resulting log.

I can also report that when I launched IE to come back here to post the log, I didn't get those Microsoft Money 2003/Windows Installer dialogue boxes popping up!!
Thanks again!!

Logfile of HijackThis v1.99.1
Scan saved at 5:24:59 PM, on 12/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plab.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Trogan · December 2006

Could you run Kaspersky again and post its log please.

Thanks!

hilodavey · December 2006

Sorry I didn't do this the first time!! (i printed out the instructions and cut off this last step).

Here is the Kaspersky Log:

Friday, December 22, 2006 9:19:01 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/12/2006
Kaspersky Anti-Virus database records: 253815

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\

Scan Statistics
Total number of scanned objects 61483
Number of viruses found 1
Number of infected objects 12 / 0
Number of suspicious objects 0
Duration of the scan process 02:26:28

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006122220061223\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-22_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\2296618C.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\22F84D20.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\234312CD.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\235464BB.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\23783294.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\238B2E7E.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\3197410A.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\329935EE.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\34443217.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\348F77C4.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\34A049B2.htm Infected: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\34AD71A4.htm Infected: Exploit.HTML.Mht skipped

C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{C2BBBF50-C756-4221-BB8E-0DA5A1E25CE3}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thank you!

Trogan · December 2006

Good job!

Just a little left to do...

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O20 - AppInit_DLLs:

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
_______________________

Lets empty out Norton's quarantine...

Navigate to the quarantine folder and delete everything inside.

C:\Program Files\Norton AntiVirus\Quarantine

Empty the Recycle Bin
_______________________

Reboot and post one more HijackThis log please.

I'm going to be away for a few days and will be unable to respond until I get back.

hilodavey · December 2006

When I 'fixed' that particular line item in the HJT scan I got the following error message:

An unexpected error has occurred at procedure: modBackup_makeBackup9sItem=20 – AppInt_DLLs: )
Error #5 – Invalid procedure or argument

Please email me at merijn@spywareinfo.com, reporting the following:
*What you were trying to fix when the error occurred, if applicable
8how you can reproduce the error
*A complete HijackThis scan log if possible

Should I indeed send an email as the message requested and just refer the person to this string?

When I ran HJT again, the file we 'fixed' was gone. So maybe all is well

I also cleared out the Norton file as instructed.

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:56 AM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plab.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for your help!!! Enjoy your days away. i'll look forward to your comments when you return.:smiles:

Trogan · December 2006

Sorry for the delay. I was away for Christmas.

No problem about the error. The entry is gone, which is good.

Let me know how things are and if we can mark this resolved.

hilodavey · December 2006

Everything seems to be working fine now, no recurrence of those symptoms so I think that we can consider this string resolved. Thanks so much for your help!!!:smiles:

Trogan · January 2007

You are welcome!

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead

Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available at this link:
http://www.short-media.com/forum/showthread.php?t=29803

Scan Help! Problem WAS Trojan Zonebac

Comments