• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cole03873

BHO not in list/Trojan in Hosts files

2 posts in this topic

I have gone through the FAQ on this site, run NAV, Spy-Bot, Ad-Aware, TrojanHunter, etc and so forth. All products used have the latest definitions.

 

Still NAV detects a Trojan Horse virus in C:\WINDOWS\hosts and C:\WINDOWS\system32\drivers\etc\hosts. Seems like the more I do to try to get rid of it, the more frequently it is being detected, which right now is almost constant, I have lost count how many times I had to click to acknowledge it's presence.

 

See Hijack File, the R0, R1 entries reflecting the C:\WINDOWS\secure.html are the culprits yet I can't figure out how to get them out of there. My home page gets reset to the secure.html file, nothing I do fixes that either.

 

The BHO with the C:\WINDOWS\SYSTEM32\ktslm.dll is not in the list posted here.

 

One other thing worth noting is that when this originally came up, I was directed to a "Fix QHosts Removal tool" at Symantec that when run did not detect Qhost, although that is what MacAffee identified it as.

 

Hijack Files:

 

StartupList report, 7/15/2004, 12:09:47 PM

StartupList version: 1.52

Started from : C:\HJT\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\SVA Player\SVAPLAYER.EXE

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft Money\System\Money Express.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Outlook Express\msimn.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\System32\hpoipm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Microsoft Works Calendar Reminders.lnk = ?

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\Userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SVAPlayer = C:\Program Files\SVA Player\SVAPLAYER.EXE

SM1BG = C:\WINDOWS\SM1BG.EXE

Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

DellTouch = C:\WINDOWS\DELLMMKB.EXE

AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe

AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

nwiz = nwiz.exe /install

THGuard = "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

Symantec NetDriver Monitor = C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

Mim = C:\WINDOWS\System32\sln.exe

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SVAPLA~1\SVAPLA~1.DLL - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

(no name) - C:\WINDOWS\SYSTEM32\ktslm.dll - {FDDCF71E-B486-4735-BCBF-F4630344901C}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Norton AntiVirus - Scan my computer - Monty.job

Norton AntiVirus - Scan my computer.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[Office Update Installation Engine]

InProcServer32 = C:\WINDOWS\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7393.8608796296

 

[ActiveDataInfo Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll

CODEBASE = https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[ActiveDataObj Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll

CODEBASE = https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

 

[McFreeScan Class]

InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll

CODEBASE = http://download.mcafee.com/molbin/iss-loc/...375/mcfscan.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

System: C:\WINDOWS\system32\system32.dll

 

--------------------------------------------------

End of report, 7,726 bytes

Report generated in 0.203 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:10:43 PM, on 7/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\SVA Player\SVAPLAYER.EXE

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft Money\System\Money Express.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Outlook Express\msimn.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\System32\hpoipm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

C:\WINDOWS\System32\notepad.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRA~1\SVAPLA~1\SVAPLA~1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O2 - BHO: (no name) - {FDDCF71E-B486-4735-BCBF-F4630344901C} - C:\WINDOWS\SYSTEM32\ktslm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [Mim] C:\WINDOWS\System32\sln.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7393.8608796296

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...375/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seasystems.com

O17 - HKLM\Software\..\Telephony: DomainName = seasystems.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seasystems.com

 

 

 

There isn't a "smiley" showing someone simultaneously screaming and pulling their hair out so just picture that here.

 

Any and all help would be greatly appreciated, I am very close to reinstalling my OS.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0