# Solved: trojan worm? cannot remove



## NWDaydreamer (Oct 29, 2003)

Hi,

I found your site trying to find a way to remove a trojan worm? I am getting confused trying to get rid of this virus. My NAV detected it first but now doesn't find anything . I searched for the file it said it was in and nothing. I scanned online and found I had what was called Loader.exe. When I tried to delete it, it copied itself. I wouldn't let me submittit to Norton.

I started in safe mode, and deleted it. Scanned again with Norton and nothing. Scanned with online scanner and found more files I deleted the files, my printer won't print after deleting script.dll that said IRC generic* scanned again and here is the results:

Scan started at 10/28/2003 4:40:56 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINNT\system32\al3azmi.exe - TrojanDownloader:Win32/Apher -> Infected
C:\WINNT\system32\lover.exe - TrojanDownloader:Win32/Apher.gen -> Infected
C:\WINNT\system32\v0x.exe - TrojanDownloader:Win32/Apher.gen -> Infected
C:\WINNT\Web\printers\images\temp - Trojan:IRC/Bounce* -> Infected

I couldn't find the these.

I found the Hijack and followed as instructed. I am not very knowledgable with computers I have Windows 200 Pro.

I would really appreciate it if I could find some help 

Logfile of HijackThis v1.97.3
Scan saved at 6:20:41 PM, on 10/28/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\winini.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Snapfish\Devmon.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHT~1\eanthtutor.exe
C:\WINNT\System32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MSN Loader] msgner.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe
O4 - HKLM\..\Run: [SystemUpdate] c:\winnt\web\printers\images\appreg.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [eanthology_install.exe] C:\DOCUME~1\JAMESF~1\LOCALS~1\Temp\EACDownload\eanthology_install.exe -k
O4 - HKLM\..\RunServices: [MSN Loader] msgner.exe
O4 - HKCU\..\Run: [SFPW] C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickReg] C:\Program Files\QuickReg\quickreg.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/215a3a49fbb738469421/netzip/RdxIE601.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.5896064815
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## IMM (Feb 1, 2002)

This process looks viral
C:\WINNT\system32\winini.exe
Terminate it using Task Manager if possible.

Did you install the DameWare remote control client
C:\WINNT\SYSTEM32\DNTUS26.EXE

(possibly called Mini Remote and/or NT Utilities Client Agent Service)
If not then someone is using it as part of the trojan.


----------



## KeithKman (Dec 29, 2002)

Do this in order:

1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.

2) Read http://tomcoyote.org/SPYBOT/index1.html then download and run SpyBot. Make sure to get the updates for SpyBot before you have it scan your computer. After you scan and remove anything SpyBot finds, make sure to click the Immunize button followed by OK and then click the Immunize button in the right pane.

3) Run one of the following free Anti-Virus programs here:

http://housecall.trendmicro.com - I found this to work the best.

http://www.pandasoftware.com/activescan

http://www.ravantivirus.com/scan

4) RePost HiJackThis log.


----------



## IMM (Feb 1, 2002)

I forgot to mention that all the following are either malware or viral startup entries.
*
O4 - HKLM\..\Run: [MSN Loader] msgner.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe
O4 - HKLM\..\Run: [SystemUpdate] c:\winnt\web\printers\images\appreg.exe
O4 - HKLM\..\Run: [eanthology_install.exe] C:\DOCUME~1\JAMESF~1\LOCALS~1\Temp\EACDownload\eanthology_install.exe -k
O4 - HKLM\..\RunServices: [MSN Loader] msgner.exe*

Fry the start entries with HJT.

You are using Earthlink and it's connection manager is valid?
(Some other ISP's also use it)


----------



## IMM (Feb 1, 2002)

I just did a little poking around and the eanthology_install.exe arrives from the 
*O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/scandl_cnry.cab*
entry (once removed) - it references

run="%EXTRACT_DIR%\cnry.exe raven.veloz.com /pub/download/defscan_install.exe eanth_setup.exe "

as a hook

Fry that entry as well using either HJT or IE Options


----------



## NWDaydreamer (Oct 29, 2003)

> _Originally posted by IMM:_
> *This process looks viral
> C:\WINNT\system32\winini.exe
> Terminate it using Task Manager if possible.
> ...


Wow! Fast help, I so appreciate it.

To answer your question. I did not install DameWare remote control client. Is that part of 200Pro? 2000 pro was installed for me. They said I need it instead of 98SE because SE would not recognize the memory upgrade. So I don't know who installed it. 
Should I wait to terminate using it before the other steps? I have done the other things asked and am scanning now.


----------



## KeithKman (Dec 29, 2002)

Please do what we suggested and get a fresh HJT log up!


----------



## NWDaydreamer (Oct 29, 2003)

KeithKman, 

You wrote: "4) RePost HiJackThis log".

After the scan, do I rerun "HighjackThis" again first? I am assuming yes, then post?

IMM,

The reason you see Earthlink is when I switched service providers and tried to uninstall Earthlink it didn't completely uninstall. I e-mailed and then called them but they said they couldn't help me because I was no longer a customer. 

 

I didn't know what files to delete so I left it alone.


----------



## KeithKman (Dec 29, 2002)

After you complete steps 1 through 3, restart your computer and post a fresh HiJackThis log here.


----------



## NWDaydreamer (Oct 29, 2003)

KeithKman, before I found this message board, I scanned with ravantivirus and several other scans online. The only one that detected it was ravantivirus. I used housecall like you said, it found nothing. Right now I am scanning with RAV. When it is done I will restart my computer and send the highjack log file.


----------



## KeithKman (Dec 29, 2002)

Ok...


----------



## NWDaydreamer (Oct 29, 2003)

> _Originally posted by KeithKman:_
> *Ok... *


Here are the RAV scan results:
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINNT\system32\al3azmi.exe - TrojanDownloader:Win32/Apher -> Infected
C:\WINNT\system32\lover.exe - TrojanDownloader:Win32/Apher.gen -> Infected
C:\WINNT\system32\v0x.exe - TrojanDownloader:Win32/Apher.gen -> Infected
C:\WINNT\Web\printers\images\temp - Trojan:IRC/Bounce* -> Infected

and hijackthis:

Logfile of HijackThis v1.97.3
Scan saved at 10:14:28 PM, on 10/28/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\winini.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Snapfish\Devmon.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MSN Loader] msgner.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe
O4 - HKLM\..\Run: [SystemUpdate] c:\winnt\web\printers\images\appreg.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\RunServices: [MSN Loader] msgner.exe
O4 - HKCU\..\Run: [SFPW] C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickReg] C:\Program Files\QuickReg\quickreg.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/215a3a49fbb738469421/netzip/RdxIE601.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.5896064815
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## KeithKman (Dec 29, 2002)

Rescan with HiJackThis and put a check next to the following. After you do so, make sure you didn't miss any entries. Now close all browser and outlook windows and click "Fix Checked". After you do so, restart your computer and then post a fresh HiJackThis log.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

*O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe*
This is a virus, read below how to disable it.

1) Disable System Restore (Windows Me/XP). If you don't know how, read this: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
2) Update the virus definitions. 
3) Restart the computer in Safe mode or VGA mode. 
4) Run a full system scan and delete all the files detected as W32.Randex.F. 
5) Delete the values that were added to the registry.

More info on the W32.Randex.F worm can be found here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.f.html


----------



## NWDaydreamer (Oct 29, 2003)

ok


----------



## IMM (Feb 1, 2002)

I'm back - Let's try it this way

Terminate these processes.

C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\system32\winini.exe
C:\WINNT\system32\mobsync.exe

Download Process Explorer
Unzip the package to a location where you will keep it for future use.
Run the extracted procexp.exe file from that location and then right click on the 3 tasks and choose Kill.
If the process is successfully terminated - it will vanish from the task list (much like using Ctrl-Alt-Delete and choosing End Task)
Killing a task in this fashion does not delete any files or registry items - it just gets the task out of the way so that the files we wish to delete are not in use.

----------------------
Go to a command prompt. (this remove stuff is a bit redundant after Procexp - but do it anyway - even tho' it'll likely fail) 
Type cd %systemroot%\system32 and press Enter. 
Type DWRCS.exe -remove and press Enter.
Type DNTUS26.exe -remove and press Enter. 
After the service removal you can delete the following files, however this may require a re-boot before you can delete them.

DNTUS26.EXE
DWRCS.EXE 
DWRCS.INI
DWRCK.DLL
DWRCSET.DLL (v 3.6x and later)
DWRCSHELL.DLL (v 3.6x and later)

If you cannot delete the DWRCShell.dll, then more than likely the Windows Explorer Shell must have already loaded it.

Reboot the machine and do not right-click on anything.
Click on the Start button and then select run.
Type CMD and press ENTER.
Once you have the DOS prompt, type: CD %systemroot%\system32 and press Enter. 
Now delete the DWRCShell.dll file.
--------------------

Run HijackThis again, Scan, and place a next check the following items. Doublecheck so as to be sure not to miss one.
Next, *close all browser Windows*, and have HT fix all checked.
*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bm...mp;bm=ho_search
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O4 - HKLM\..\Run: [MSN Loader] msgner.exe
O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe
O4 - HKLM\..\Run: [SystemUpdate] c:\winnt\web\printers\images\appreg.exe
O4 - HKLM\..\RunServices: [MSN Loader] msgner.exe
O4 - HKCU\..\Run: [QuickReg] C:\Program Files\QuickReg\quickreg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/215a3a49fbb738...ip/RdxIE601.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/i...uditControl.cab
*

Reboot when you've done this. (pref to SAFE mode)
-------
Delete the folllowing files

msgner.exe
netd32.exe
c:\winnt\web\printers\images\appreg.exe
------

If you added the O6 internet restictions you will have to reset them with SDHelper after removing them with HJT)
(spybots&d home page locks etc.)

Make sure that when you are looking for files and folders - you have your machine set up to show hidden files
http://service1.symantec.com/SUPPOR...iew=docid&dtype=corp&prod=&ver=&osv=&osv_lvl=

as an aside ------------
Regarding not finding files (or being unsure of extensions)

In Explorer (not IE) us Tools > Folder Options and click on the view tab
Under the hidden files section - place a check next to 'Show all files'
Remove the check next to 'Hide file extensions for known file types'

------------

Finally, download Spybot - Search and Destroy

Use the beta updates - after installing, press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".
After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.


----------



## KeithKman (Dec 29, 2002)

> _Originally posted by NWDaydreamer:_
> *ok *


Were you able to delete the W32.Randex.F worm?


----------



## IMM (Feb 1, 2002)

As an aside
Here's RAV's page on Apher
http://www.ravantivirus.com/virus/showvirus.php?v=116
Thoug this is the specific and NOT the .gen detection


----------



## NWDaydreamer (Oct 29, 2003)

I have Windows 2000 pro. How do I disable?


----------



## IMM (Feb 1, 2002)

> How do i disable


If referring to system restore - ignore that bit - no restore in w2k sp4


----------



## NWDaydreamer (Oct 29, 2003)

I am so sorry, I'm not very good at this what does that mean? "Terminate these processes." 

I also have already downloaded Spybot


----------



## IMM (Feb 1, 2002)

I use the terms terminate and kill interchangebly - it is usually done from windows TaskManager (using Ctrl-Alt-Delete) - but in your case I'm not sure that taskmanager will work correctly, so I suggested a small download (Process Explorer). When you run procexp.exe, you can highlight the task, right click, and choose Kill.

BTW - this is all done best offline (to whatever extent you can).
I think what we're looking at here, are several items being called viruses and trojans which were simply the droppers for DAME which offers much more control to a hacker (assuming anyone's there)


----------



## NWDaydreamer (Oct 29, 2003)

I'm here, just slow. I killed or terminated what ever you want to call it but I am lost when it comes to the rest of that post. Ü


----------



## NWDaydreamer (Oct 29, 2003)

IMM, this is what I have left to do.

Go to a command prompt. (this remove stuff is a bit redundant after Procexp - but do it anyway - even tho' it'll likely fail) 
Type cd %systemroot%\system32 and press Enter. 
Type DWRCS.exe -remove and press Enter.
Type DNTUS26.exe -remove and press Enter. 
After the service removal you can delete the following files, however this may require a re-boot before you can delete them.

DNTUS26.EXE
DWRCS.EXE 
DWRCS.INI
DWRCK.DLL
DWRCSET.DLL (v 3.6x and later)
DWRCSHELL.DLL (v 3.6x and later)

If you cannot delete the DWRCShell.dll, then more than likely the Windows Explorer Shell must have already loaded it.

Reboot the machine and do not right-click on anything.
Click on the Start button and then select run.
Type CMD and press ENTER.
Once you have the DOS prompt, type: CD %systemroot%\system32 and press Enter. 
Now delete the DWRCShell.dll file.
--------------------

Run HijackThis again, Scan, and place a next check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT fix all checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bm...mp;bm=ho_search
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O4 - HKLM\..\Run: [MSN Loader] msgner.exe
O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe
O4 - HKLM\..\Run: [SystemUpdate] c:\winnt\web\printers\images\appreg.exe
O4 - HKLM\..\RunServices: [MSN Loader] msgner.exe
O4 - HKCU\..\Run: [QuickReg] C:\Program Files\QuickReg\quickreg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/215a3a49fbb738...ip/RdxIE601.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/i...uditControl.cab

Reboot when you've done this. (pref to SAFE mode)
-------
Delete the folllowing files

msgner.exe
netd32.exe
c:\winnt\web\printers\images\appreg.exe
------

If you added the O6 internet restictions you will have to reset them with SDHelper after removing them with HJT)
(spybots&d home page locks etc.)

Make sure that when you are looking for files and folders - you have your machine set up to show hidden files
http://service1.symantec.com/SUPPOR...v=&osv_lvl=

as an aside ------------
Regarding not finding files (or being unsure of extensions)

In Explorer (not IE) us Tools > Folder Options and click on the view tab
Under the hidden files section - place a check next to 'Show all files'
Remove the check next to 'Hide file extensions for known file types'

------------

Finally, download Spybot - Search and Destroy

Use the beta updates - after installing, press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".
After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.


----------



## IMM (Feb 1, 2002)

A bit at a time,

Open a command prompt (dos box) by using Start > Run and typing *cmd* in the box - then click ok
Type the following lines exactly, hitting the Enter key after each one
*
cd %systemroot%\system32
DWRCS.exe -remove
DNTUS26.exe -remove
*
You can now close the cmd prompt or type *exit* to close it.

Make sure that when you are looking for files and folders - you have your machine set up to show hidden files
http://service1.symantec.com/SUPPOR...v=&osv_lvl=
In Explorer (not IE) us Tools > Folder Options and click on the view tab
Under the hidden files section - place a check next to 'Show all files'
Remove the check next to 'Hide file extensions for known file types'
You are an administrator on this machine?

Using Explorer - Find (Search for) the following files and try to delete them if you find them

DNTUS26.EXE
DWRCS.EXE 
DWRCS.INI
DWRCK.DLL
DWRCSET.DLL
DWRCSHELL.DLL

Let me know what you found and if you could delete it.


----------



## IMM (Feb 1, 2002)

RE: (assuming anyone's there) - I was trying to refer to whoever put the trojan on your machine being actually there or awake.

Most of these go out automated I think and there maybe no one home - but who knows.


----------



## NWDaydreamer (Oct 29, 2003)

Imm,
I was able to delete DNTUS26.EXE, but the following files could not be found.
DWRCS.EXE 
DWRCS.INI
DWRCK.DLL
DWRCSET.DLL
DWRCSHELL.DLL


----------



## IMM (Feb 1, 2002)

I thought that might be the case.
Do the bit about rerunning HijackThis, pressing scan, and placing check marks next to the items in bold and then pushing the FIX button.

After that reboot, run HJT, press Scan and post a new log here.


----------



## NWDaydreamer (Oct 29, 2003)

I will do that and get back to you. Thank you. Talk to you soon.


----------



## NWDaydreamer (Oct 29, 2003)

None of them are in bold. What do you suggest?


----------



## IMM (Feb 1, 2002)

It's the list I put in bold back in reply #15 
http://forums.techguy.org/showthread.php?postid=1216162#post1216162
*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bm...mp;bm=ho_search
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O4 - HKLM\..\Run: [MSN Loader] msgner.exe
O4 - HKLM\..\Run: [MS_NETD_WIN32] netd32.exe
O4 - HKLM\..\Run: [SystemUpdate] c:\winnt\web\printers\images\appreg.exe
O4 - HKLM\..\RunServices: [MSN Loader] msgner.exe
O4 - HKCU\..\Run: [QuickReg] C:\Program Files\QuickReg\quickreg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/215a3a49fbb738...ip/RdxIE601.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/i...uditControl.cab
*


----------



## NWDaydreamer (Oct 29, 2003)

Thank you. I am working on that right now. I will get right back to you.


----------



## NWDaydreamer (Oct 29, 2003)

Here is the new scan results.

Logfile of HijackThis v1.97.3
Scan saved at 12:30:33 AM, on 10/29/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\winini.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Snapfish\Devmon.exe
C:\WINNT\System32\rsvp.exe
C:\Documents and Settings\James Franklin\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [SFPW] C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.5896064815
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## IMM (Feb 1, 2002)

not out of the woods yet.
This process
C:\WINNT\system32\winini.exe
is still running

Use TaskManager or process explorer to kill it. 
Then search for and delete (using Explorer)the following

msgner.exe
netd32.exe
c:\winnt\web\printers\images\appreg.exe

If you can't find or can't delete any of those mention it in the next reply.
Please also post a startuplist log from HJT so I can guess at what I'm missing.
To do that - start HijackThis and use Config > Misc. Tools > Generate StartupList log - then post that log here.

I guess I need a moment to think about it - your post is the commercial interlude in the Lord of the Rings DVD (two towers) which I'm watching on this machine 

--------
edit - I think you should also terminate rsvp.exe (but I admit I'm not sure if your ISP uses it) - it could be reserving bandwidth for the trojan.


----------



## NWDaydreamer (Oct 29, 2003)

COMMERCIAL BREAK!!!

I couldn't find the files but here is the startup log.

StartupList report, 10/29/2003, 12:52:22 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\James Franklin\My Documents\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Snapfish\Devmon.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MailWasher\MailWasher.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\James Franklin\My Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
anvshell = anvshell.exe
LiveNote = livenote.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINNT\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
Motive SmartBridge = C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
IPInSightLAN 02 = "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
IPInSightMonitor 02 = "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
ConMgr.exe = "C:\Program Files\EarthLink 5.0\ConMgr.exe"
Outpost Firewall = C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SFPW = C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
Desktop Architect = "C:\Program Files\Desktop Architect\datray.exe" -S

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\POPUPP~1\PopLib.dll - {41353F8B-78CE-48A5-BE44-153ED293D192}
(no name) - C:\Program Files\EarthLink TotalAccess\PnEL.dll - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Snapfish Fix Photo Control]
InProcServer32 = C:\WINNT\DOWNLO~1\SNAPFI~2.OCX
CODEBASE = http://www.snapfish.com/SnapfishImageEditor.cab

[Pixami/Snapfish Upload UI Control]
InProcServer32 = C:\WINNT\DOWNLO~1\SNAPFI~1.OCX
CODEBASE = http://www.snapfish.com/SnapfishUploader.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.5896064815

[CRAVOnline Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\ravonline.dll
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 7,861 bytes
Report generated in 0.050 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## IMM (Feb 1, 2002)

Can you find this file
C:\WINNT\system32\winini.exe

IF so, either rename it to mywinini.xee or delete it.


----------



## NWDaydreamer (Oct 29, 2003)

I found and deleted it.


----------



## IMM (Feb 1, 2002)

Run SpyBotSD and fix everything it auto selects - the reboot and post a new HJT scan log (not the startuplist one)

Gets tiresome doesn't it


----------



## NWDaydreamer (Oct 29, 2003)

Ok, I will do that and yes it is very very tiresome.


----------



## IMM (Feb 1, 2002)

I made a comment earlier - but it seems to have been lost while TSG was doing backups

The userinit key

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\Userinit.exe

is missing a comma (and the capitalization seems funny)

it should read
UserInit = C:\WINNT\system32\userinit.exe,

Do you know how to use regedit ?

This key must be correct after you edit it, or it will really ruin your day!


----------



## NWDaydreamer (Oct 29, 2003)

No, I don't know how to use regedit and I have had a bad enough day as it is. What do I have to do in order to get regedit to work properly and where do I find it?


----------



## NWDaydreamer (Oct 29, 2003)

The spybot finished and fixed 3 files. Should I restart now or fix the regedit first?


----------



## IMM (Feb 1, 2002)

I'd do the regedit first

The hjt log is after the reboot


----------



## NWDaydreamer (Oct 29, 2003)

Ok, how do I do it?


----------



## IMM (Feb 1, 2002)

oh dear - reboot first
I think that if you have a computer guru in your neighborhood - you should ask him to do it if you haven't used regedit


----------



## NWDaydreamer (Oct 29, 2003)

It isn't that hard, right? As long as I type it in correctly. We don't have any computer gurus around here.


----------



## NWDaydreamer (Oct 29, 2003)

I rebooted and I have the regedit open, now what?????


----------



## NWDaydreamer (Oct 29, 2003)

:up:


----------



## IMM (Feb 1, 2002)

In my last post I meant to skip that - and just have u post the HJT log.

If you're sure you want to - 
Navigate to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
by clicking on the pluss signs in the left ahnd pane

When you get to the winlogon key - click on it to hilight it 
In the right hand pane double click on the Userinit entry and an edit box will open.

Edit that to add the comma and make the U lowercase so that it looks like
*C:\WINNT\system32\userinit.exe,*
then click OK 
Close Regedit


----------



## NWDaydreamer (Oct 29, 2003)

Logfile of HijackThis v1.97.3
Scan saved at 2:00:06 AM, on 10/29/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Snapfish\Devmon.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\WINNT\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\James Franklin\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [SFPW] C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.5896064815
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## IMM (Feb 1, 2002)

Looks better
Does it work any better?
Hope we got most of it - it's very hard to tell from this distance


----------



## NWDaydreamer (Oct 29, 2003)

I changed the regedit key, now what do I need to do?


----------



## IMM (Feb 1, 2002)

Reboot with crossed fingers 
Are there various users on this machine?


----------



## NWDaydreamer (Oct 29, 2003)

Does what work better? My printer doesn't work, but what else do you want to know? 

Is the virus gone?


----------



## NWDaydreamer (Oct 29, 2003)

No, just me. Rebooting now.


----------



## NWDaydreamer (Oct 29, 2003)

Ok, I'm baaaaaaaaaack!!!!  

Nothing seems to have died, so I guess I did it right but deleting that file for the printer seems to have really worked.....Ü


----------



## NWDaydreamer (Oct 29, 2003)

Is the virus gone and should I reinstall the printer?


----------



## IMM (Feb 1, 2002)

Is there anything else in that images folder (other than 6 or so small [1-2k] .gifs ?)

If so, delete those files and open the gifs in a viewer like IrfanView to ensure that they are gifs.


----------



## NWDaydreamer (Oct 29, 2003)

What images folder?


----------



## IMM (Feb 1, 2002)

c:\winnt\web\printers\images\


----------



## NWDaydreamer (Oct 29, 2003)

I deleted 20 other files and checked other 6 with IrfanView and they are gif.


----------



## IMM (Feb 1, 2002)

I've got to run.

Update your NAV and set it to do a full scan including inside archives - then scan your drives.

I worry some about your ADMIN folder. If you can stand the time it will take - it's probably best to do this scan in SAFE mode
How to start Windows 2000 in Safe mode

If you still have problems after that - post back - I usu. check in at least once a day.


----------



## NWDaydreamer (Oct 29, 2003)

Already? I will do that. I am so grateful for you giving me so much of your time. Thank you for the help  :up:


----------



## NWDaydreamer (Oct 29, 2003)

> _Originally posted by IMM:_
> *I've got to run.
> 
> Update your NAV and set it to do a full scan including inside archives - then scan your drives.
> ...


I started in safe mode and scanned with Norton. Nothing. Ran another RAV online scan, results:

Scan started at 10/29/2003 12:26:28 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINNT\system32\al3azmi.exe - TrojanDownloader:Win32/Apher -> Infected
C:\WINNT\system32\lover.exe - TrojanDownloader:Win32/Apher.gen -> Infected
C:\WINNT\system32\v0x.exe - TrojanDownloader:Win32/Apher.gen -> Infected

Scanned
============================
Objects: 51184
Directories: 4693
Archives: 1516
Size(Kb): 694297
Infected files: 3

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 594

Ran HIJack again, Results:
Logfile of HijackThis v1.97.3
Scan saved at 12:25:17 PM, on 10/29/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Snapfish\Devmon.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\James Franklin\My Documents\HijackThis.exe
C:\WINNT\System32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [SFPW] C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.5896064815
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## NWDaydreamer (Oct 29, 2003)

A question. Is it safe to use my computer. Will the virus spread more?


----------

