Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
When looking for help on this website regarding my sometimes slow-running computer (so slow it seems to stop at times, and then picks up speed again), I came across a thread called WinAntivirusPro in which Distinguished Member JSntgRvr was helping someone with his computer that was running unwanted adware.

In this thread JSntgRvr gives directions to run Dr.Web CureIt and so I thought I would give it a try since adaware, spybot and norton's antivirus found nothing on my computer.

Dr.Web CureIt found more than one trojan (!) on my computer, but called them "incurable". I followed JSntgRvr's directions and "moved" the files and then saved the report to my desktop.
The Dr.Web CureIt report is below (as well as a HJT log) and my questions are: when you take the option in Dr.Web CureIt to move the files are the files then quaranteend and harmless? Do you need to do anything further? Should a person run Dr.Web CureIt on a regular basis (it seems to find things that other reputable programs don't find)?
Thank you for any help that you can give.
Hegs
********Dr.Web CureIt report ***********
MiniBugTransporter.dll;C:\Program Files\Common Files\Real\WeatherBug;Adware.Minibug;Incurable.Moved.;
Scramble.exe;C:\Program Files\Raydr's Scrambler;Probably BACKDOOR.Trojan;Incurable.Moved.;
sdcmon.dll;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Incurable.Moved.;
tgcmd.exe;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Incurable.Moved.;
tgupdate.exe;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Incurable.Moved.;

*******HJT**************
Logfile of HijackThis v1.99.0
Scan saved at 9:24:20 PM, on 1/9/07
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SILICON PRAIRIE SOFTWARE\MEMTURBO\MEMTURBO.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ComcastHSI - {69616780-BC6C-11D7-8041-00045A8F2873} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {69616781-BC6C-11D7-8041-00045A8F2873} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {69616782-BC6C-11D7-8041-00045A8F2873} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .dcr: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.active.com
O15 - Trusted Zone: http://www.ez-tracks.com
O15 - Trusted Zone: http://brainpop.speedera.net
O15 - Trusted Zone: http://www.firstinmath.com
O15 - Trusted Zone: http://r.imchaos.net
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: www.equiserve.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.advancerx.com
O15 - Trusted Zone: http://www.iknowthat.com
O15 - Trusted Zone: http://*.teacherweb.com
O15 - Trusted Zone: http://www.powermediaplus.com
O15 - Trusted Zone: www.math.com
O15 - Trusted Zone: http://www.quizville.com
O15 - Trusted Zone: http://www.principal.com
O15 - Trusted Zone: www.glencoe.com
O15 - Trusted Zone: http://www.dositey.com
O15 - Trusted Zone: www.brainpop.com
O15 - Trusted Zone: http://www.brainpop.com
O15 - Trusted Zone: http://www.usna.edu
O15 - Trusted Zone: http://www.macromedia.com
O15 - Trusted Zone: http://www.coolmath4kids.com
O15 - Trusted Zone: http://www.financefreak.com
O15 - Trusted Zone: http://www.coolmath.com
O15 - Trusted Zone: www.snapfish.com
O15 - Trusted Zone: http://www.snapfish.com
O15 - Trusted Zone: http://www.bkstr.com
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://neteye.pct.edu/activex/AxisCamControl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
 

·
Retired Trusted Advisor
Joined
·
5,333 Posts
Hi hegs,
I would be cautious about following instructions that were aimed at another member with possibly different problems (maybe even a different operating system). The advice given in some postings here is sometimes for a very specific set of circumstances, that may not match yours.
I would suggest waiting for qualified advice before doing anything further.

Richard
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
Thanks for replying to my query, Richard. I was beginning to think that you had to know some secret code to get some response on this forum. Nobody ever answers my questions, so that's why I try to look through the answers to other peoples' questions to try to help myself.
I have tried "bump" to keep my questions on a recent page, but that doesn't really help.
Thanks again for the caution :)
hegs
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top