• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
edmanzer

Recycler folder reappears

2 posts in this topic

Thanks to instructions from Tony Klein on 5/30/04, I previously removed

the file S-1-21-789336058-484061587-725345543-1004, but the folder has

reappeared with the same file, again duplicating any actions in the Norton

Protected Recycle Bin, which was emptied after the Recycler Folder removal.

Following is the current Hijackthis logfile, run after scans by Ad-aware and

Spybot. Please help.

 

Additional troubleshooting 6/14/04. The prescribed delete procedure included disabling Norton recycle bin protection before the deletion. After the deletion and rebooting, enabling the Norton recycle bin protection causes the Recycler folder and S-1-21-******** file to reappear, and again duplicate all actions of the Norton Protected Recycle Bin.

 

 

Logfile of HijackThis v1.97.7

> Scan saved at 1:43:39 PM, on 6/8/2004

> Platform: Windows XP SP1 (WinNT 5.01.2600)

> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

>

> Running processes:

> C:\WINDOWS\System32\smss.exe

> C:\WINDOWS\system32\winlogon.exe

> C:\WINDOWS\system32\services.exe

> C:\WINDOWS\system32\lsass.exe

> C:\WINDOWS\system32\svchost.exe

> C:\WINDOWS\System32\svchost.exe

> C:\WINDOWS\system32\LEXBCES.EXE

> C:\WINDOWS\system32\spoolsv.exe

> C:\WINDOWS\system32\LEXPPS.EXE

> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

> C:\WINDOWS\Explorer.EXE

> C:\WINDOWS\System32\drivers\CDAC11BA.EXE

> C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

> C:\Program Files\Roxio\GoBack\GBPoll.exe

> C:\WINDOWS\System32\gearsec.exe

> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

> C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe

> C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

> C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

> C:\WINDOWS\System32\nvsvc32.exe

> C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

> C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

> C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

> C:\WINDOWS\System32\svchost.exe

> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

> C:\WINDOWS\System32\WFXSVC.EXE

> C:\Program Files\Common Files\Symantec Shared\ccApp.exe

> C:\WINDOWS\DELLMMKB.EXE

> C:\Program Files\Common Files\Real\Update_OB\realsched.exe

> C:\PROGRA~1\WinFax\WFXSWTCH.exe

> C:\WINDOWS\System32\wfxsnt40.exe

> C:\Program Files\iTunes\iTunesHelper.exe

> C:\Program Files\Netropa\OSD.exe

> C:\Program Files\iPod\bin\iPodService.exe

> C:\WINDOWS\SM1BG.EXE

> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

> C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

> C:\WINDOWS\system32\tbctray.exe

> C:\WINDOWS\System32\ctfmon.exe

> C:\Program Files\Roxio\GoBack\GBTray.exe

> C:\Program Files\Outlook Express\msimn.exe

> C:\Program Files\Microsoft Office\Office10\msoffice.exe

> C:\Program Files\NetCaptor\NetCaptor.exe

> C:\Security\Hijack\HijackThis.exe

> C:\Program Files\Messenger\msmsgs.exe

>

> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.weather.com/weather/local/40502

> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by InsightBB.com

> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1

> O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program

Files\Kontiki\bin\bh309190.dll

> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

> O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -

C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

> O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll

> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx

> O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -

C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

> O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll

> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup

> O4 - HKLM\..\Run: [ATTRedUpate] C:\Program Files\Common

Files\Insight\MigCfg\Programs\AutoUpdate.exe

> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"

> O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

> O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe

> O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

> O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime

> O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

> O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe

> O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe

> O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

> O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe

> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

> O4 - HKCU\..\Run: [symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

> O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook

Express\msimn.exe

> O4 - Startup: Weather.com - Local Weather - Lexington, KY (40502).url

> O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG

CreataCard\AGRemind.exe

> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE

> O4 - Global Startup: Norton GoBack.lnk = C:\Program

Files\Roxio\GoBack\GBTray.exe

> O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html

> O8 - Extra context menu item: Backward &Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html

> O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html

> O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

> O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

> O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

> O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

> O8 - Extra context menu item: Si&milar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html

> O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html

> O9 - Extra button: Messenger (HKLM)

> O9 - Extra 'Tools' menuitem: Messenger (HKLM)

> O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com

> O16 - DPF: symsupportutil -

https://www-secure.symantec.com/techsupp/ac...supportutil.CAB

> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

> O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update

Installation Engine) -

http://office.microsoft.com/officeupdate/content/opuc.cab

> O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -

http://office.microsoft.com/productupdates/content/opuc.cab

> O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -

https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

> O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) -

http://cs5b.instantservice.com/jars/customerxsigned33.cab

> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield

International Setup Player) - http://www.napster.com/client/isetup.cab

> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/...7709.4845949074

> O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry

Information Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

> O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

> O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -

https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

> O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl

Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

> O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search

Settings Control) -

http://lg.home.microsoft.com/search/lobby/searchsettings.cab

Edited by edmanzer

Share this post


Link to post
Share on other sites

Trojan Horse named Backdoor.IRC.RPCBot presumably created the reappeared file, as noted in the detail. This posting is merely to highlight the Trojan horse, hoping that will cause someone to reply. If replies after the first one require a donation to get response priority, please note that I would gladly donate if soneone solves my problem.

 

Ed Manzer

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0