Huge Problem Please Help!

Question

AngelMelzBabiee 0 Newbie Poster

19 Years Ago

Our computer is highly essential because we have a home studio working out of it. Without it, we can't really pay the bills. So, yes, I'm totally stressin...

Now here is the problem. I have run a number of scans on the computer. Both Spybot S&D and Norton Anti-virus. Everytime I run them over 100 items are found at risk or infected. So I go to quarantine and delete... It will delete some and some deletes fail. Then I restart the computer and it is the same all over again as if I didn't scan the computer at all.

I also read on a site to try to turn off the system restore and reboot into safe mode and run the scans again on the computer. That didn't work.

I downloaded the HijackThis log program. Here is the log that became present.

Logfile of HijackThis v1.99.1
Scan saved at 4:43:35 PM, on 3/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
D:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\odbg1412\odbg1412.exe
C:\windows\system32\msnavc32.exe
C:\WINDOWS\SysCheckBop32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system\qlmlj.exe
D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winfigk32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Shadow\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1A19423E-E04E-423A-8CE7-341833D569FA} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {7807CF0E-7EA3-4150-AE9F-98087A984BAB} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {839DFF99-4F29-43DF-8D23-C365C128DDFF} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {B2445EE6-1A15-4100-BFD5-44C18A6B53F9} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {CD855CFD-D0BA-4343-A890-1E3B4E72BBBC} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {DA8C38B4-622F-44E4-AC10-64B39D49D61D} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {E18A174E-EBEF-48D6-9F56-B8B2B805A249} - C:\Program Files\odbg1412\odbg1412.dll
O2 - BHO: (no name) - {F18D6D23-5047-414D-A81A-816FAF62B3AE} - C:\Program Files\odbg1412\odbg1412.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\System32\nusgbw.exe
O4 - HKLM\..\Run: [celpxo] c:\windows\system32\celpxo.exe
O4 - HKLM\..\Run: [u77X3ne] msakui.exe
O4 - HKLM\..\Run: [xjbdtc] C:\WINDOWS\System32\xjbdtc.exe
O4 - HKLM\..\Run: [odbg1412] C:\Program Files\odbg1412\odbg1412.exe
O4 - HKLM\..\Run: [zmowec] C:\WINDOWS\System32\zmowec.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitexah32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [fwo7RhKpP] mqtskrnl.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097578368437
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/games/v48/haunted/haunted.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - D:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

It is so important that I get a responce quickly in order to keep our apointment. If you have long distance nationwide calling feel free to call me and help that way (650) 346-1793. That is my business line.

I would appreciate any help possible.

THANK YOU SO MUCH!

Melissa Murphy
Shadow Productions
http://flow.shadow-al.com

windows-virus

4 Contributors
5 Replies
153 Views
4 Weeks Discussion Span
Latest Post 19 Years Ago Latest Post by armaniking04

OurNation 5 Master Poster

19 Years Ago

http://www.bleepingcomputer.com/files/dllcompare.php
go there and download it dllcompare and run that and tell us what it says

crunchie 990 Most Valuable Poster

19 Years Ago

Do you have the FkWare version of SysMon or other third party Sysmon Applications?

Go here to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Try this scan at Panda as well.

Your PC is full of nasties so we will let the online scanners loose first.
When done, post another log please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

AngelMelzBabiee 0 Newbie Poster · Answer 1 · 2005-03-06T02:26:42+00:00

Do you have the FkWare version of SysMon or other third party Sysmon Applications?
Go here to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Try this scan at Panda as well.
Your PC is full of nasties so we will let the online scanners loose first.
When done, post another log please.

Detected File Associated Virus Name Action
C:\WINDOWS\system32\Cache\SSK_B5 MVSSK 3.EXE TROJ_SMALL.QN

C:\WINDOWS\system32\Cache\msnavc32.exe TROJ_AGENT.LQ

C:\WINDOWS\system32\msnavc32.exe TROJ_AGENT.LQ

C:\WINDOWS\system\qlmlj.exe TROJ_STARTPAG.EO

C:\WINDOWS\Downloaded Program Files\ActiveSecurity.ocx TROJ_COLLECTOR.A

C:\WINDOWS\SysCheckBop32.exe TROJ_VB.IW

C:\Documents and Settings\Shadow\Local Settings\Temporary Internet Files\Content.IE5\YHIJ2LM5\winupdt[1].exe TROJ_AGENT.LR

C:\Documents and Settings\Shadow\Local Settings\Temporary Internet Files\Content.IE5\SXIFWPIZ\68[1].bin TROJ_SMALL.QN

C:\Documents and Settings\Shadow\Local Settings\Temporary Internet Files\Content.IE5\852B89AJ\counter[1].js EXPL_IFRAMEBO.A

C:\Documents and Settings\Shadow\Local Settings\Temporary Internet Files\Content.IE5\OLQJWPAN\47[1].bin TROJ_AGENT.LQ

C:\Documents and Settings\Shadow\Local Settings\Temporary Internet Files\Content.IE5\KTQFSXUN\protector_update[1].exe TROJ_STARTPA.A

Delete detected file(s) if uncleanable

Trojan/Worm Check
1 worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 1 Trojan horse program(s) and worm(s) on your computer.
Trojan/Worm Name Trojan/Worm Type Action
TROJ_IESER.A
Trojan

This is what was said when the scan finished… but then it just closed when I asked it to clean… I’m so confused

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 2 · 2005-03-06T08:51:02+00:00

Do you have the FkWare version of SysMon or other third party Sysmon Applications?

Just post another log then and we will see what we can do.

But first;

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

armaniking04 0 Newbie Poster · Answer 3 · 2005-04-01T13:20:04+00:00

Microsoft Antispyware Beta 1
Spydoctor is go to