Trojan Virus....Hijack This Log...

[Kislanya]

After running a Symantec scan today I found the virus and it could not be deleted, quarantined or fixed. The results:
The compressed file sup.reg within C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\APT27YXO\caliba(1).exe is infected with the IRC trojan virus.

I am a novice on the pc, so any instructions will have to be very simple, basically a step by step...sorry, still learning.

I ran a log file:
Logfile of HijackThis v1.99.1
Scan saved at 6:10:14 PM, on 3/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: hsnBar BHO - {57ECFB51-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\1.bin\HSNBAR.DLL
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &HSN ShopBar - {57ECFB59-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\1.bin\HSNBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Windows XP...thank you, Kislanya

[dahli]

Hello Kislanya,

Click Start>Run then type cleanmgr
This will open Disk Cleanup program - allow it to Temporary Internet Files and Temporary Files

Reboot is SAFE MODE and scan with Symantec again.

Reboot and post the results of the scan.

[Kislanya]

Quote:

Originally Posted by dahli

Hello Kislanya,

Click Start>Run then type cleanmgr
This will open Disk Cleanup program - allow it to Temporary Internet Files and Temporary Files

Reboot is SAFE MODE and scan with Symantec again.

Reboot and post the results of the scan.

Okay did everything you suggested and after running another Symantec scan there are zero infections. I don't know how you did it but it's gone.
I want to know as in further reading at the board, it was suggested after getting rid of a virus to 'wash out system restore' or words to that effect.
Do I need to do that and if so, how?

Thank you so much...Kislanya

[dahli]

Yes, it is good to clean out your System Restore (in case you need to use it that you do not reinfect yourself)

First, you need to TURN OFF System Restore by following these steps:

Click START - Then right-click on My Computer and select Properties
Click the System Restore tab.
Place a check mark next to Turn off System Restore on all drives
Click Apply > Yes

REBOOT

Follow the same steps to TURN ON System Restore.

[Kislanya]

Quote:

Originally Posted by dahli

Yes, it is good to clean out your System Restore (in case you need to use it that you do not reinfect yourself)

First, you need to TURN OFF System Restore by following these steps:

Click START - Then right-click on My Computer and select Properties
Click the System Restore tab.
Place a check mark next to Turn off System Restore on all drives
Click Apply > Yes

REBOOT

Follow the same steps to TURN ON System Restore.

Hi again,
Well even I can follow those instructions....thanks so much, this board is amazing....best wishes, Kislanya

[dahli]

You are very welcome

[Kislanya]

Now that you have helped me get rid of the virus, I am wondering about my pc's anti-virus protection coverage overall.
I have the Symantec, Spyware Blaster and Spybot software which I update constantly and run weekly.
Is there any other software that you would recommend besides these?
Thank you, Kislanya

[dahli]

That is fairly good protection. Does your Symantec include a firewall?

Basic suggestions for security:

One firewall
One Anti-virus
1-2 AntiSpyware

I would suggest that if Symantec doesn't include a firewall that you get one. I would also suggest getting another anti-spyware program (AVG AntiSpyware, SUPERAntiSpyware, Dr. Web's CureIt, Windows Defender, to name a few)

There is a good post to read here

[Kislanya]

Quote:

Originally Posted by dahli

That is fairly good protection. Does your Symantec include a firewall?

Basic suggestions for security:

One firewall
One Anti-virus
1-2 AntiSpyware

I would suggest that if Symantec doesn't include a firewall that you get one. I would also suggest getting another anti-spyware program (AVG AntiSpyware, SUPERAntiSpyware, Dr. Web's CureIt, Windows Defender, to name a few)

There is a good post to read here

I don't have a firewall but I was told it would interfere with downloading tunes off the internet. Is that true?
Kislanya

[dahli]

It depends on the firewall and how it is setup. I have had no problems ZoneAlarm

[Kislanya]

Quote:

Originally Posted by dahli

It depends on the firewall and how it is setup. I have had no problems ZoneAlarm

When you say it depends on how it's setup, I don't know what means. I download from Limewire. Would ZoneAlarm be okay with that website? or do I have to do something special in downloading a firewall to make it work okay?
Kislanya

[dahli]

ZoneAlarm is very user-friendly. Others are not. Some firewalls block whatever the programmer decides. ZoneAlarm is customizable after it is downloaded to allow you to download. I would be EXTREMELY careful downloading ANYTHING through Limewire since most things on there are illegal copies or malware.

[Kislanya]

They charge to be a member there and I run that kind of a risk? So then I am guessing that a firewall pretty much won't help against that kind of issue. It's outrageous that they charge if members can infect their pc's so easily...KIslanya

[dahli]

Yes, it is. They charge in order to pay for the storage space, speed, updates, etc. They don't control what people upload or download. A firewall does help though - and the newest version of Limewire helps with firewalls