Hi All... This PC had 14 infected files with 8 different Viruses.. Im trying to pin em down one by one and making pretty good progress. Its so bad I cant even install NAV'04 heh. So its all manual removal... Could someone please look this over and suggest any more changes? Thank you!! Ill also include the NAV'04 pre install scan log just for kicks.
Logfile of HijackThis v1.97.6
Scan saved at 9:05:49 PM, on 11/17/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\viewport.exe
C:\Program Files\CRW\shwicon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [ShowIcon_A_CRW Series Driver v1.17r010] "C:\Program Files\CRW\shwicon.exe" -t"A\CRW Series Driver v1.17r010"
O4 - HKLM\..\Run: [CapShare IO Broker] C:\Program Files\Hewlett-Packard\CapShare\hpkiob1.exe /BusServer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwa...ector/swdir.cabO16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) -
http://www.stop-sign.com/pub/download/scandl_cnry.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) -
http://content.ancestry.com/asfiles/files/...ll/MFImgVwr.cabO16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) -
http://images.myfamily.net/isfiles/downloa...oads/MrSIDI.cabO16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cabO16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/...7747.8799537037O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwa...ash/swflash.cabO16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) -
http://officeupdate.microsoft.com/Template...nloads/outc.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/ac.../ActiveData.cabHeres the Norton AV. Preinstall scan report
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'
\' /> It says the files were deleted but they werent *sigh* grrr. But basically when I go to install Norton AV, something is causing it to run in such a small window that I cant "accept" in the EULA..*and no i cant "tab" to it either* grrrr. and therefore, I cant install NAV.
Thanks!!!
NOTE: Close this window to continue installing the product.
=========================================================
===============PRE-INSTALL SCANNER RESULTS===============
=========================================================
Summary:
Scan finished at 8:01:33 PM on 11/16/2003.
Number of Files Scanned: 22010
Number of Infections Found: 14
Number of Files Repaired: 0
Number of Files Deleted: 14
Number of Files Left Infected: 0
=========================================================
Details:
C:\WINNT\inf\msvs32.bat was infected with Backdoor.IRC.Flood.E. (DELETED)
C:\WINNT\inf\n1gg4.exe was infected with Backdoor.IRC.Flood.E. (DELETED)
C:\WINNT\inf\ntzm32.dll was infected with Backdoor.IRC.Flood.E. (DELETED)
C:\WINNT\inf\nwbt32.bat was infected with Backdoor.IRC.Flood.E. (DELETED)
C:\WINNT\inf\securee.exe was infected with Backdoor.Sumtax. (DELETED)
C:\WINNT\system32\inst.exe was infected with Backdoor.Dvldr. (DELETED)
C:\WINNT\system32\lan.bat was infected with BAT.Trojan. (DELETED)
C:\WINNT\system32\mscfgnw.ocx was infected with IRC Trojan. (DELETED)
C:\WINNT\system32\msct32.ocx was infected with IRC Trojan. (DELETED)
C:\WINNT\system32\msv32drv.BAT was infected with BAT.Trojan. (DELETED)
C:\WINNT\system32\n1gg4.exe was infected with Backdoor.IRC.Flood.E. (DELETED)
C:\WINNT\system32\reg.xpl was infected with IRC Trojan. (DELETED)
C:\WINNT\system32\wincmd34.bat was infected with IRC Trojan. (DELETED)
C:\WINNT\system32\winzp32.dll was infected with Backdoor.IRC.Flood. (DELETED)
=========================================================
NOTE: Close this window to continue installing the product.
