|
.tt4.tmp.vbs problems due to Antivirus XP 08
|
|
|
xksun
Newbie
|
4. July 2008 @ 20:00 |
Link to this message
|
Dear afterdawn members,
I installed the "Antivirus XP 2008" by mistake, which I got to know to be a malware from the web later. I seemed to successfully delete it by "Wopti Utilities", but everytime I rebooted my computer, I found a popup notice:
Can not find script file: "C:\Documents and Settings\Username\Local Settings\Temp\.tt4.tmp.vbs"
I would appreciate it very much if you could give me some hint on how to repair!
-Xian
The log from HJT is pasted as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:48 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lphcajmj0ej2v.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphcajmj0ej2v] C:\WINDOWS\system32\lphcajmj0ej2v.exe
O4 - HKLM\..\Run: [SMrhcejmj0ej2v] C:\Program Files\rhcejmj0ej2v\rhcejmj0ej2v.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VoipRaider] "C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized
O4 - Startup: ?eé?′ê°? 2005.lnk
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xksun.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://xksun.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7073 bytes
|
|
Advertisement
|
 |
|
|
Senior Member
|
4. July 2008 @ 22:08 |
Link to this message
|
|
|
|
xksun
Newbie
|
5. July 2008 @ 05:02 |
Link to this message
|
Thank you so much, ozy, I followed exactly your instructions. After I rebooted my computer, the original popup "cannot find ***\.tt4.tmp.vbs" didn't show up.
A related problem: I deleted the notorious "Antivirus XP 2008" by "Wopti Utilities", and it indeed disappeared from "Add or Remove Program" in Control Panel, however, I found that it still existed in the "All Programs" of Start menu. How can I get rid of it? Thank you very much in advance for your kind response!
I ran the HJT again and the logfile is pasted below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:20 AM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lphcajmj0ej2v.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphcajmj0ej2v] C:\WINDOWS\system32\lphcajmj0ej2v.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VoipRaider] "C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized
O4 - Startup: ?eé?′ê°? 2005.lnk
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xksun.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://xksun.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6957 bytes
|
Senior Member
|
5. July 2008 @ 05:44 |
Link to this message
|
10. Next you can do a quick Spyware Audit which won?t actually install any program but just check the system for infection to see where we are in the fight against Spyware/Viruses
a. Go here and follow the prompts. If you have no internet, skip this step.
http://www.webroot.com/services/entaudit/auditbegin.php
b. Click on the link and save the file to your ?Desktop?
c. Run the file and wait for all 5 steps to finish
d. View the displayed results. If your system only shows cookies then you?re OK. If your system has any other one of three groups then more work needs to be done.
Please post your results
Trojans 1
Spyware 2 etc.
|
Senior Member
|
5. July 2008 @ 06:10 |
Link to this message
|
Try these for your next steps.
Now if you?re using Windows XP let?s make sure you have the latest Service Pack.
a. Open CCleaner and in the top Heading is a System Spec List.
b. Where is says ?MS Windows XP SP 1, 2 or 3.
c. If you have anything below SP3 you should download the following file:
http://download.windowsupdate.com/msdown...e2300ebfde4.exe
d. Save the file to your desktop and then install by following the prompts.
e. You will probably need to restart your system after the install.
12. Now we want to check what internet explorer you currently use. The latest is ?Internet Explorer 7?.
a. Open internet explorer and click on ?help? in the top toolbar.
b. Click on ?About Internet Explorer?. If you have version 6 or below you need to upgrade to version 7.
c. Download it here:
http://www.microsoft.com/downloads/detai...&displaylang=en
d. Click the download button and save the file to your desktop.
e. Open the file and follow the prompt.
|
Senior Member
|
5. July 2008 @ 06:20 |
Link to this message
|
These last three posts should keep you busy. I see you currently run symantec software. Please let me know what version and package type. I am very much against norton because of it's lack of detection and system resource hogging.
7. Download and install Counterspy v2 trial version for 15 day fully functional.
http://go.sunbelt-software.com/?linkid=410
a. Click Next
b. Agree to the license agreement
c. Click Next
d. Click Next again
e. Click Install
f. Click Finish ? The check box above should be ticked to open the program.
g. Click next ? Getting Started
h. Click next if using demo version
i. Click next to enable automatic updates
j. Select ?YES? and Select ?CAUTIOUS? then Next
k. Select ?YES? then Finish
l. Select ?Enter Counterspy Now?
To update the CounterSpy application and security risk definitions Click Updates on the toolbar or select File - Check for updates... from the menu bar. The Update Services window opens and downloads the available updates. After it is complete, click Close.
m. Now you are ready for a full system scan
n. Select ?System Scan? from the left menu
o. Select ?Full System?
p. Select ?Low Risk Programs?
q. Select ?Cookies?
r. Select ?Save Options?
s. Above Select ?Scan Now?
Please wait for scan to complete. To be on the safe side ?Quarantine All Objects?.
Now click on ?System Tools? and click ?My PC Checkup? and Click ?Start?.
Click Continue and ?OK?.
Now go back into ?System Tools? and select ?PC Explorer?. Here you can check startup programs, ActiveX controls, BHO files, and much more. If unsure how to use leave as is for now.
|
|
xksun
Newbie
|
5. July 2008 @ 17:09 |
Link to this message
|
|
Dear ozy, thank you so much for your kind instructions!
I just ran the Spyware Audit in the first step of your posts, and the results show that there is no other three groups. The result detail is posted as follows. BTW, I am using Symantec AntiVirus. The version is 9.0.2.1000, scan engine is 81.1.0.13. I don't know what package it is. Can you please kindly suggest my next steps, or do I have to follow the next steps in your last posts? Thank you very much again!
-Xian
Tracking Cookies Detected: 2
Cookies allow marketing firms to track the Web sites you visit without your knowledge. Sometimes this information is shared with other firms.
Cookies:
atlas dmt cookie
doubleclick cookie
|
Senior Member
|
5. July 2008 @ 20:57 |
Link to this message
|
|
Carry on with the 2nd lot out of 3 that i posted earlier.
|
|
xksun
Newbie
|
5. July 2008 @ 20:59 |
Link to this message
|
Dear ozy, I have followed the first two steps of your last posts and upgraded my Windows XP to SP3, and the IE to version 7. However the "Antivirus XP 2008" still exist in "All Programs" of "start" menu. Moreover, as for the past several reboot, the Windows Script Host popup notice showed each time after the Windows started up.
Can not find script file: "C:\Document and Settings\xksun\local settings\Temp\.ttE.tmp.vbs".
The only difference for each time is the filename of the missing script file:
.ttE.tmp.vbs, .tt12.tmp.vbs, .tt1B.tmp.vbs, .tt23.tmp.vbs, .tt2B.tmp.vbs, .tt38.tmp.vbs
Thank you for your more suggestions. -Xian
The HJT logfile is attached as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:53 PM, on 7/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lphcajmj0ej2v.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphcajmj0ej2v] C:\WINDOWS\system32\lphcajmj0ej2v.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VoipRaider] "C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized
O4 - Startup: ?eé?′ê°? 2005.lnk
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xksun.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://xksun.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7198 bytes
|
|
xksun
Newbie
|
5. July 2008 @ 21:27 |
Link to this message
|
Dear ozy, I am running the CounterSpy as you suggested and will let you know of the result as soon as the scanning finishes. Thanks again. -Xian
|
Senior Member
|
5. July 2008 @ 21:35 |
Link to this message
|
Make sure to run the counterspy for the whole 15 day trial period.
If you don't mind uninstalling Symantec anti virus and reinstalling it at a later date I'd recommend trying nod32.
6. Download Trial version of Nod32 Anti-Virus 3.0
for Windows XP/2000/Vista (32-bit)
http://download1.eset.com/eval/win/eav/eav_nt32_enu.msi
for Windows XP/2000/Vista (64-bit ONLY)
http://download1.eset.com/eval/win/eav/eav_nt64_enu.msi
Installation mode: Typical
Enable threatsense early warning system
Enable Detection of potentially unwanted applications
You have now finished the install. Restart the computer and then right click on the Nod32 bottom toolbar icon and select ?update?.
Now you can scan your pc so again right click on the toolbar icon and select ?computer scan?. Select ?My Computer? and then select ?Scan? at the bottom right.
Wait for scan to finish to review results making sure any Bad files are Quarantined.
|
|
xksun
Newbie
|
6. July 2008 @ 01:15 |
Link to this message
|
Dear ozy,
Thank you again for your suggestions.
After running CounterSpy, I removed two files according to the advice by the program, one is named "BDPlugin Browser Plug-in", the other one is "Cookie: Tracking Cookies Cookie (General)". Then I restarted my computer.
I noticed that after I rebooted my computer, CounterSpy gave me a warning at bottom right that a unknown program C:\WINDOWS\system32\lphcajmj0ej2v.exe was trying to startup and asked me if I would like to Quarantine, I hesitated and just a few seconds later the notice disappeared. Then the familiar "Can not find script file..." pop up again. I am not sure if this file is bad or not. Then I removed the link to this file mannually only from the Startup list, and the "Can not find script file" didn't come up after the next reboot.
The anoying "Antivirus XP 2008" still exists in the "All Program" of "Start" menu. I am running the scan with ESET NOD32 Antivirus and will let you know the results ASAP. Thank you! -Xian
This message has been edited since posting. Last time this message was edited on 6. July 2008 @ 02:06
|
|
xksun
Newbie
|
6. July 2008 @ 01:59 |
Link to this message
|
The scan of ESET NOD32 Antivirus just finished, the scanned result:
Number of scanned object: 379303
Number of infected objects: 0
Number of cleaned objects: 0
Please let me know if you need to see the scan log. Thank you, ozy!
Bests, -Xian
|
|
xksun
Newbie
|
6. July 2008 @ 03:42 |
Link to this message
|
I ran the CounterSpy again just now, and no security risk was detected this time. So can you please advice me on the next steps, ozy?
I appreciate all the suggestions you have offered to me.
Best regards
-Xian
This message has been edited since posting. Last time this message was edited on 6. July 2008 @ 03:51
|
Senior Member
|
9. July 2008 @ 05:47 |
Link to this message
|
Yes you should have quarantined the file. Start your PC in safe mode and do a full scan with counterspy.
Also if you open counterspy, click on system tools, then PC explorers. check for that file in Startup Programs section and running processes section.
|
|
xksun
Newbie
|
10. July 2008 @ 03:02 |
Link to this message
|
Dear ozy,
I did a full scan with counterspy in safe mode and no threat was found. Before I saw your last advice, I just deleted the link of that "Antivirus XP 2008" from the "All Programs" list in the "start" menu, so I couldn't find it again in "Startup Programs section" and "running processes section" in "PC explorers" of counterspy. Does that mean my PC is free of bad files?
Thanks so much for guiding me all the way long.
Bests,
Xian
|
Senior Member
|
10. July 2008 @ 07:15 |
Link to this message
|
Open counterspy, click on view, hover your mouse on active protection and click on view all good applications. If there is anything suspicious add a tick next to it and click remove all marked applications. restart your pc. If that same threat is that you noticed earlier pops up quarantine it.
|
|
xksun
Newbie
|
10. July 2008 @ 22:46 |
Link to this message
|
Dear ozy,
I did what you suggested and the record is empty: "There are no good user applications."
BTW, last time after I ran the counterspy and deleted the files "BDPlugin Browser Plug-in" and "Cookie: Tracking Cookies Cookie (General)". Then I didn't find the pop-up after rebooting my computer. So I guess my pc might be already clean?
Thanks a lot!
Xian
|
Senior Member
|
10. July 2008 @ 23:13 |
Link to this message
|
Sounds like you might be right. I would go to something other than Symantec for protection. All I use is the following
Nod32
Counterspy or Spysweeper (your choice, both are good but don't run both)
windows xp pro sp3
windows firewall
Internet Explorer 7
Billion modem router 7401-vgp-m firmware 5.53
A router is a must have. Makes you invisible to the outside world. Read the following.
If you currently run a software firewall other than the windows system firewall then I would suggest uninstalling it and replacing it with a network router which supports NAT (network address translation). If you cannot afford one straight away then leave it installed for the time being. You may already have a router or it maybe built into your Broadband Modem. A router makes your PC merely invisible to the outside world by displaying dummy IP Addresses.
a. Go to this website
https://www.grc.com/x/ne.dll?bh0bkyd2
b. Please have a short read prior to taking first test.
c. Click on ?Proceed?
d. Click on each test option in the table File Sharing, Common Ports, All Service Ports, Message Spam and Browser Headers.
e. Read your results after each test. The tests in Red are the most important.
If your results do not come back as stealth and you are using a software firewall then it?s not really working for you.
If your results do not come back as stealth and you have a network router then it is not configured correctly or the firmware needs updating. (see your hardware manufacturers website for this)
If you have a router and a software firewall other than windows firewall then I would uninstall it and run the tests again.
Software firewalls can be a major drag to your system and are too much work to maintain let alone configure. If you are not sure about an application wanting permission to access the outside world then the wrong decision could easily be made causing a security issue or your operating system functioning incorrectly. Watch the attached video: http://youtube.com/watch?v=1rsUefv-nlk
If your windows firewall is disabled I would suggest tuning it back on.
People tend to tighten their pockets when it comes to paying for security but because of this they end up paying dearly with lost files, photos, empty bank accounts or simply hardware failure.
I pay $65.00 AUD for this security per year. Plus $200.00 for the modem router which is a one off purchase. Not bad for complete piece of mind.
|
|
Advertisement
|
|
|
|
iTokee
Suspended due to non-functional email address
|
10. July 2008 @ 23:26 |
Link to this message
|
|
ozy you wanna reply to my thread
i need some help man =(
|
