Jump to content


Photo

Recycler folder reappears


  • Please log in to reply
1 reply to this topic

#1 edmanzer

edmanzer

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 June 2004 - 03:26 PM

Thanks to instructions from Tony Klein on 5/30/04, I previously removed
the file S-1-21-789336058-484061587-725345543-1004, but the folder has
reappeared with the same file, again duplicating any actions in the Norton
Protected Recycle Bin, which was emptied after the Recycler Folder removal.
Following is the current Hijackthis logfile, run after scans by Ad-aware and
Spybot. Please help.

Additional troubleshooting 6/14/04. The prescribed delete procedure included disabling Norton recycle bin protection before the deletion. After the deletion and rebooting, enabling the Norton recycle bin protection causes the Recycler folder and S-1-21-******** file to reappear, and again duplicate all actions of the Norton Protected Recycle Bin.


Logfile of HijackThis v1.97.7
> Scan saved at 1:43:39 PM, on 6/8/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\LEXBCES.EXE
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\system32\LEXPPS.EXE
> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\drivers\CDAC11BA.EXE
> C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
> C:\Program Files\Roxio\GoBack\GBPoll.exe
> C:\WINDOWS\System32\gearsec.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe
> C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
> C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
> C:\WINDOWS\System32\nvsvc32.exe
> C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
> C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
> C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINDOWS\System32\WFXSVC.EXE
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINDOWS\DELLMMKB.EXE
> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> C:\PROGRA~1\WinFax\WFXSWTCH.exe
> C:\WINDOWS\System32\wfxsnt40.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\Netropa\OSD.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\WINDOWS\SM1BG.EXE
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
> C:\WINDOWS\system32\tbctray.exe
> C:\WINDOWS\System32\ctfmon.exe
> C:\Program Files\Roxio\GoBack\GBTray.exe
> C:\Program Files\Outlook Express\msimn.exe
> C:\Program Files\Microsoft Office\Office10\msoffice.exe
> C:\Program Files\NetCaptor\NetCaptor.exe
> C:\Security\Hijack\HijackThis.exe
> C:\Program Files\Messenger\msmsgs.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.weather.c...her/local/40502
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by InsightBB.com
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
> O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program
Files\Kontiki\bin\bh309190.dll
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
> O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
> O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
> O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [ATTRedUpate] C:\Program Files\Common
Files\Insight\MigCfg\Programs\AutoUpdate.exe
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
> O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
> O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
> O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
> O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe
> O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
> O4 - HKLM\..\Run: [PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
> O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
> O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
> O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook
Express\msimn.exe
> O4 - Startup: Weather.com - Local Weather - Lexington, KY (40502).url
> O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG
CreataCard\AGRemind.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
> O4 - Global Startup: Norton GoBack.lnk = C:\Program
Files\Roxio\GoBack\GBTray.exe
> O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
> O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
> O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
> O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
> O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
> O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
> O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
> O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
> O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: Messenger (HKLM)
> O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
> O16 - DPF: symsupportutil -
https://www-secure.s...supportutil.CAB
> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.syma...bin/AvSniff.cab
> O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.micros...ontent/opuc.cab
> O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -
http://office.micros...ontent/opuc.cab
> O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse....iveX/winrep.cab
> O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) -
http://cs5b.instants...erxsigned33.cab
> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.napster.c...ient/isetup.cab
> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupd...7709.4845949074
> O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) -
http://security.syma...n/bin/cabsa.cab
> O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.s...ta/SymAData.cab
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macr...ash/swflash.cab
> O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.s.../ActiveData.cab
> O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
Class) - http://tools.ebayimg...ntrol_v1-32.cab
> O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search
Settings Control) -
http://lg.home.micro...rchsettings.cab

Edited by edmanzer, 14 June 2004 - 04:45 PM.


#2 edmanzer

edmanzer

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 June 2004 - 04:59 PM

Trojan Horse named Backdoor.IRC.RPCBot presumably created the reappeared file, as noted in the detail. This posting is merely to highlight the Trojan horse, hoping that will cause someone to reply. If replies after the first one require a donation to get response priority, please note that I would gladly donate if soneone solves my problem.

Ed Manzer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button