Please help... I think I have a trojan dropper virus from AOL messenger....I clicked on a friends info and recieved warning but Norton Antivirus(updated) activity log states that it was identified but unable to repair or access. Since the notice have ran several checks with Norton Antivirus and symantec but no virus found. I'm computer illerated so any info would help...When I ran a Trojan TCP Scan at this site was informed that port 1024 was accessible....I ran hijack this and here is the results....Thank you for any assistance. Lissa

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tri-citiesonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tri-citiesonline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XTN
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2765fe099b1a70043700/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B76D266-6EE6-4C12-9249-0FCCF62B84D5}: NameServer = 216.98.64.12 216.12.0.20

Welcome to Computer Cops Lissa. Your log looks fine apart from the fact that you have Spykiller installed. I have tested this program and it is a menace. It identified valid registry entries as spyware and had I paid the bucks, it would have trashed my OS. Uninstall it and download Spybot - Search & Destroy from here. My standard instructions for use below:

If you already have Spybot on your PC, make sure that it is the latest version and go online and install the latest updates. If you already have Spybot on your PC, make sure that it is the latest version and go online and make sure that you have installed the latest updates. This is VERY important.


After installing, launch Spybot from the Desktop Icon (Easy Mode),click on the Search For Updates button, search for and install all updates.

Now click on the Check for Problems button and the scan will start. Any Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed. If, after running the scan, Spybot displays red entries, click on the Fix Selected Problems button.

Now click on the Immunize button to protect your PC from known pests and exit.

If you have chosen to install an icon in your Quick Launch bar, Spybot will launch in Advanced Mode. I do not recommend this option for first time users of Spybot.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot.
SSD will activate before the system puts these components 'in use', and it will then be able to 'fix' the rest.

Where did Norton say the trojan dropper was (the file path)?

Re port 1024, it is almost impossible to close ports using freeware however it's worth a try. Shut down WinXP's firewall (I assume that you are running XP) and go here and install Sygate and reboot. When you have done this, go here, scroll down and run ShieldsUP! Post back the results.

Thank you Orphan Annie, Bulldog and CalamityJane for your responses. I downloaded Spybot and checked for updates. After running a system check several problems were found all in red...yet some were prechecked and others were not. I fixed those prechecked and now I have several that are red left.....do I need to check these and fix? Since I'm computer illerate worried that I may remove something vital . Again thank you for you help.

The file that Norton Antivirus identified as infected was
C:\DocumentsandSettings\Owner\LocalSettings\TemporaryInternetFiles\Content.IE5\KEA4F58L\New[1].hta.
States unable to access.
Thank You
Lissa

Hi Lissa

First, you cut off the top part of your log that shows us what Operating System you have and some other details that would help us help you a little better.

First you need to empty your Temporary Internet Files (TIF) and clear your cache. You can also empty your TEMP folder. If you need help with directions on that let us know what your OS is, we can give you step by step instructions. Emptying those will clear out the infected file that Norton is giving you.

As for your Spybot question, I have a tutorial I made for my new users that has screen shots on how to determine what items to fix in the program. Basically, the unchecked items you can right click on them an get a description from the program as to what it is and what it does and also what Spybot can do to correct the problem for you. In fact, if I recall correctly, there is a box you can check after a Spybot Scan that will clear your Cache for you (the files I described above).

Anyhoo....perhaps this will help explain how it works:

My very short Spybot Tutorial to set up and scan the first time
http://forum.gladiator-antivirus.com/index.php?showtopic=8630

And this is a more detailed Tutorial that will help you in using Spybot:
How to Use Spybot
http://spybot.eon.net.au/index.php?lang=en&page=knowledgebase/getstarted

Is this what you need?
Logfile of HijackThis v1.97.7
Scan saved at 3:44:13 PM, on 12/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Hi Lissa,

Yep That was the cut off part.

Now, how did you make out with emptying your TIF and TEMP files - do you need help with that?

Or any further questions or need help with Spybot? You could post your Spybot log if so. Mine is located here:

C:\Program Files\Spybot - Search & Destroy 1.1\Logs<---log folder and click on the file in there with the most recent date, copy and paste into your post here.

Once your PC is clean, you'll need to reset your restore points:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot.

Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

More information here:
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405

Do I turn the restore system off before I run spybot and fix problems.....or do I fix the problems then turn off and reboot and turn on? Sorry I'm so confused....just want to make sure that I don't destroy system....I deleted temp internet files(cookies?)....unsure about folder???I fixed all checked items indicated by Spybot and ran another Trojan TCP scan and access to the port 1024 was denied. However I still have 68 red items in Spybot they were unchecked and I was unsure if I should check and fix.....Should I copy results and paste?

Anything that Spybot displays in red represents spyware/foistware or malware. You can safely choose to fix these items Lissa. Dont forget to reboot afterwards.

Regarding the file identified as infected in your Temporary Internet files. Close IE and go to Start > Control Panel and click on Internet Options. Click on the General Tab and delete all Temporary Internet Files and Offline Content. Reboot and run your AV again and let us know the results.

Wait until we have finished cleaning up your PC before you disable System Restore.

Spybot removed all suspect items and I deleted all temporary internet files and offline content. Scan show no further problems...Is that all I need to do? Also are Yahoo and AOL messenger safe to download? Is there a safer messaging system?
Thank you for all the help!
Lissa

_________________
Serenity Now.....Insanity Later
Lissa

Glad we could help Lissa. Yep, all you need to do now is to disable and re-enable System Restore (if you havent already dont this). If you wish to use an IM, either are fine to download. You may wish to consider Trillian though. Read about it here and then make up your own mind which you prefer.

As your problem is resolved, I'll close this thread. If you have any further problems and would like this thread re-opened, feel free to PM any of our staff.