Jump to content


Bad file download, need help to clean up..

  • Please log in to reply
3 replies to this topic

#1 tag2006



  • Full Member
  • Pip
  • 5 posts

Posted 23 May 2007 - 06:43 PM

Hi Guys,
I downloaded something and am not sure what? My Norton is blocking something and my browser is being hijacked to some anti virus product and for the life of me i cant get rid of it.

I have downloaded Hijack this and have a log and wondered if someone can help me.

Many many Thanks in advance


StartupList report, 24/05/2007, 00:46:33
StartupList version: 1.52.2
Started from : C:\Documents and Settings\es\Desktop\HiJackThis_v2.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options

Running processes:

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Les\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton AntiVirus\osCheck.exe"
NSRKey = C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
EPSON Stylus Photo R220 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
CloneCDTray = "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
Norton Save and Restore = "C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe"
LogMeIn GUI = "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
ipmon = ipmon.exe


Autorun entries from Registry:

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
RegClean Expert Scheduler = "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\cscentfy.dll - {00534B55-3155-CA4F-B41D-0E922121D03C}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\mljgday.dll - {9A853E36-4A35-4DBF-9C03-AD9423798E35}
(no name) - C:\WINDOWS\system32\ddaba.dll - {C8CF63E0-02B0-49DE-B807-4A597C3243C0}
(no name) - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}


Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - es.job
Norton SystemWorks One Button Checkup.job


Enumerating Download Program Files:

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1177258241640

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[Performance Viewer Activex Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
CODEBASE = https://secure.logme...ivex/RACtrl.cab


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

End of report, 7,193 bytes
Report generated in 0.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by tag2006, 23 May 2007 - 06:48 PM.

#2 tag2006



  • Full Member
  • Pip
  • 5 posts

Posted 24 May 2007 - 06:14 AM


Have I came to the wrong board or has this been answered a zillion times and im not seeing the solutions?

Please advise I realy dont want to format!!

Thanks again

Please be patient. There are more than 50 logs being posted everyday and our helpers cannot deal with them all in once - so please understand this. After all, we are doing this in our spare time and for free and most of us do have a full time job in between as well.

Also, we always try to deal with the oldest logs first, because it wouldn't be fair that someone gets help immediately while another one is already waiting for a couple of days.
Also read the Forum FAQ on top.

Edited by miekiemoes, 24 May 2007 - 08:01 AM.

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,530 posts

Posted 26 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 dkdeath



  • New Member
  • Pip
  • 1 posts

Posted 26 May 2007 - 08:58 AM

you are infected with R3C.B TROJANS , IPMON.exe

first of all remove norton anti virus http://service1.syma...005033108162039

then install nod32 antivirus, comodo firewall, and avg which are all free
then let them clean your system

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!