I have a trojan.downloader on a Windows XP platform. NOrton Anti Virus describes it as "Trojan.Proscks.C".
Once deleted, it keeps coming back. I am at a loss.
Thanks!
Below is a copy of the Hijack This Log -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:16 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\csrss.
exe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\macidw
e.exe
C:\Program Files\McAfee\SiteAdvisor\M
cSACore.ex
e
C:\WINDOWS\System32\spool\
DRIVERS\W3
2X86\3\HP1
006MC.EXE
C:\MSSQL7\binn\sqlservr.ex
e
C:\WINDOWS\system32\Nobicy
t.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\sobicy
t.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService
.exe
C:\WINDOWS\system32\tdxdow
kc.exe
C:\WINDOWS\system32\Search
Indexer.ex
e
C:\WINDOWS\System32\alg.ex
e
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.
exe
C:\WINDOWS\system32\igfxpe
rs.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\Search
ProtocolHo
st.exe
C:\WINDOWS\system32\Search
FilterHost
.exe
C:\PROGRA~1\WINZIP\winzip3
2.exe
C:\Documents and Settings\arolf\Local Settings\Temp\wzc8b7\Hijac
kThis.exe
C:\WINDOWS\system32\wbem\w
miprvse.ex
e
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
090271D4F8
8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE
Helper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
4DAF1D92D4
3} - C:\Program Files\Java\jre1.6.0_02\bin
\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
F10577473F
7} - c:\program files\google\googletoolbar
2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
445EE16191
0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien
t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
E66B5AD205
D} - C:\Program Files\Google\GoogleToolbar
Notifier\3
.0.1225.98
68\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2
CD0E90A88F
F} - c:\PROGRA~1\mcafee\SITEAD~
1\mcieplg.
dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
09027A5CD4
F} - c:\program files\google\googletoolbar
2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
819E2EAAC9
3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien
t.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-1
7FE6E806AA
0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-5
16ABECAE06
4} - c:\PROGRA~1\mcafee\SITEAD~
1\mcieplg.
dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
rs.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe
O4 - HKCU\..\Run: [GoToAssist Express Expert] "C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_start.exe" "/Trigger RunAtLogon"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\OFFICE11\
EXCEL.EXE/
3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.6.0_02\bin
\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.6.0_02\bin
\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~2\OFFIC
E11\REFIEB
AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchos
t.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchos
t.dll
O16 - DPF: {17492023-C23A-453E-A040-C
7C580BBF70
0} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-f
a1d4f56a2a
b} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsth
elper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-F
FDE2BAC296
7} (DLM Control) -
http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D
8356294013
4} (MySpace Uploader Control) -
http://lads.myspace.com/upload/MySpaceUploader1005.cabO16 - DPF: {6414512B-B978-451D-A0D8-F
CFDF33E833
C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159967971859O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
4455354000
0} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {E8F628B5-259A-4734-97EE-B
A914D7BE94
1} (Driver Agent ActiveX Control) -
http://plugin.driveragent.com/files/driveragent.cabO17 - HKLM\System\CCS\Services\T
cpip\Param
eters: Domain = server.ronnoco.net
O17 - HKLM\Software\..\Telephony
: DomainName = server.ronnoco.net
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: Domain = server.ronnoco.net
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: SearchList = server.ronnoco.net
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: Domain = server.ronnoco.net
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: SearchList = server.ronnoco.net
O17 - HKLM\System\CCS\Services\T
cpip\Param
eters: SearchList = server.ronnoco.net
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-0
67394E91CC
5} - c:\PROGRA~1\mcafee\SITEAD~
1\mcieplg.
dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterServi
ce.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidw
e.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\M
cSACore.ex
e
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicy
t.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: sobicyt - Unknown owner - C:\WINDOWS\system32\sobicy
t.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService
.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdow
kc.exe
Start Free Trial
