Go Back   RetouchPRO > Tools > Software
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read

Software Photoshop, Lightroom, Paintshop Pro, Painter, etc., and all their various plugins. Of course, you can also discuss all other programs, as well.

Two days of hell ... trojan horse probs

Thread Tools
Old 04-14-2006, 01:56 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717

1st things first.

If you're not using Norton anymore, it's best to get rid of all of it, as it sometimes causes conflicts with other systems. The uninstaller that comes with the program does not always remove everything (as can be seen from the plethora of Norton/Symantec entries in your HJT log.


Norton makes an Uninstall Tool which will successfully remove it from your system. HERE
(Check which version of Ghost you're using, as it also removes one of the earlier (2003) versions, you'd have to re-install it).

Zone Alarm usually has a service (023 Entry in HJT) running.

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Don't see it in your log. (May be worth doing an Uninstall then Re-install of Zone Alarm).

As for Windows XP restore points, there seem to be a whole lot of inconsistencies that I can't explain. (Only M$ know, and their description doesn't clarify matters much).

When you restore to an earlier restore point, you will usually lose programs that have been installed since that point was created (not all programs seem to be lost, seems to be some complication there that I don't understand), your registry will be set back to the settings as per that time. Usually any updates to programs will be lost (again sometimes not so). Personal files and folders do not seem to be affected in any way.

Not helping clarify things I know, truth is I don't fully know. This may explain.

Link to tutorial on Sysem Restore

Last edited by Gary Richardson; 04-14-2006 at 02:13 AM.
Reply With Quote top
Old 04-14-2006, 02:35 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4

re norton av, i agree. and thanks for the link to their uninstaller. and trust me, i'm well aware of poor uninstalls

and regarding zone alarm, look at the running processes section of the log:
and re restore points, i'm afraid that's about the only answer i've ever gotten from anyone...
As for Windows XP restore points, there seem to be a whole lot of inconsistencies that I can't explain.
lol. so you're not alone. i will say this. it did wipe out he virus (amen!), and it did cause me to lose some files that were added after the checkpoint date. i was wrong about some of them though. the ones before the checkpoint do seem to still be in place. it did remove my avg anti-virus updates from avg. i havent checked yet, but i'm also fairly sure that any zone alarm allows or disallows will now be gone as well. i also know it saved my butt, not only this time, but when i was having that trouble getting service pack ii to install. i used restore points for that as well to get rid of the errant versions and attempts i was getting.

i can also say that so far, i can find NO trace of the virus or its components. mssearchnet.exe, nvctrl.exe and all things related to that 'security' thing seem to be gone....with one exception that i just caught earlier tonight and that was a .txt file on my desktop that said 'security guide'. not completely sure if that was part of the other stuff, but when i checked the properties, it did seem like it. so, that one's a bit of a mystery re the restore points.

so, all in all, i'm fairly happy again. i will be updating some things and moving some other things. i'd been getting a bit complacent with all this, not being infected (that i knew of) for quite a while now. frankly, i think we're being too easy on these virus creators. we've mostly all been on the defensive. i'd like to see a little offensive. i did see, when i got windows defender, that microsoft is teaming up with some folks regarding viruses and that they want individuals to join their club also. i think this is a pretty good idea. i can see a new wave of 'security partners' coming in the future that are likely going to be more aggressive on all this. microsoft and others have always been slow to get the message about what's going on, but hackers, crackers, script kiddies and others might want to get clean now. when the big boys like microsoft really set their sights on something they can bring an awful lot of clout to the table.

and just as a side note, can you imagine ole bill getting this same virus or sasser or blaster on his home machine? how embarrassing would that be?

Reply With Quote top
Old 04-14-2006, 10:17 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
overlooked the other Zone Lab running processes, (expected to see them as services, so didn't look for them there) partly due to the fact that my auto check had marked them as valid entries. I was concentrating on looking for rogue entries at that point.

I'm still curious as to why C:\WINDOWS\system32\ZoneLabs\vsmon.exe is not showing as a running service (don't like discrepancies). It's probably been disabled by the infection (they often disable firewalls to make access to your computer easier).

Click Start > Run and type services.msc scan down, and you should find a service called TrueVector Internet Monitor double click on it to open properties, and check it's set to Auto check also that its "Service Status" is Started, then click OK.

Any problems with this let me know.
Reply With Quote top
Old 04-14-2006, 01:20 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4

again, thanks.

on this:
Click Start > Run and type services.msc scan down, and you should find a service called TrueVector Internet Monitor double click on it to open properties, and check it's set to Auto check also that its "Service Status" is Started, then click OK.
everything seems copesetic. it's there, on automatic and running. dont know why it wouldnt show on hjt. i think some things are a little odd after the restore.

also, i ran another scan and log last night because i wanted to get mozilla back as my default browser. i also hadnt run i.e. since the restore either. so, the log has changed just a bit because of these:

Logfile of HijackThis v1.99.1
Scan saved at 1:12:11 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe
P:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
F:\Program Files\\Mozilla\mozilla.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page ={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
N2 - Netscape 6: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("", "engine://"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\NEOTRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O15 - Trusted Zone:
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer =,
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - H:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - I:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

for instance, not sure how that 'aol' thing got in there. i also dont need the 'Directway' thing in there any more. that's from my old satellite internet, which i no longer use. but, all in all, it still looks pretty clean to me.

Reply With Quote top
Old 04-14-2006, 02:55 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
If you want to get rid of the AOL in your IE Trusted Zone, just run a scan with HJT, check it, then click on Fix Checked to remove it.

The O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing) is a little more involved. You can't just check it in HJT to remove it.

1st we have to stop the service, and then remove it, finally remove the file.

Sorry, time for another "canned" speech (I've got loads).

We need to stop a service...
  • Click Start button then select Run.
  • Type services.msc then hit OK.
  • Scroll down and find the service called.
  • Right-click on Service and choose Properties.
  • On the General tab under Service Status click the Stop button to stop the service.
  • Beside Startup Type in the dropdown menu select Disabled.
  • Click Apply then OK. Exit the Services utility.

Let's delete that service
  • Start HijackThis.
  • Click Config button.
  • Click Misc Tools button.
  • click Delete an NT Service button
  • Copy and Paste the text in the box below in the Delete an NT Service window.
  • Click OK.
  • Close HijackThis.

Now delete this folder.

Rest of the log looks clean. (obviously these aren't malicious entries, just unwanted ones).

As a point of information, although HJT says the Direcway file is missing, HJT is unreliable in this regard with all but the 02 & 03 entries.
Reply With Quote top
Old 04-15-2006, 01:33 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4

thanks. i'll work on those tomorrow.

today, at least this evening, i've been working on updating my security. got and re-installed the newer win patrol. got and installed again, task catcher. got and installed spybot s&d with teatimer. ran spybot and it found over 30 items. cute. mostly, these were dead items and non-working fragments of old spyware or other malicious junk. nontheless, i removed most of them. i didnt remove 2. one is 'cyberview', which is software that i'm pretty sure came with my negative scanner. it's a twain/usb device and the software to go with it. not sure why spybot saw that as a threat... but i'll check into it more tomorrow.

also downloaded, but didnt install, some items from the spybot site that looked kind of interesting. his regalyzer, filealyzer and i think one other. havent installed those and they're not strictly speaking, security items, but looked kind of interesting. (i'm a download junkie).

anyways, the system seems to be running ok. i shld probably do a registry cleaning also after all this. i think i have 'regclean' somewhere. if you know of a better one or have any comments on that one, i'd love to hear it.

again, thanks! and i'll try to be more security conscious in the future.

Reply With Quote top
Old 04-15-2006, 10:48 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Hi Craig,

This is what I usually suggest to secure a computer. (Based on a user who uses IE as their browser).

Personally I use Firefox with the No Script and Site Advisor plugins. (You still need to secure IE).

(Suggestions, yet another "canned" speech (does this boy have no end of these)).

Updating Windows and Internet Explorer

IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update).

Make your Internet Explorer more secure
  • From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level.
  • Make sure these options are set as follows:
    • Download signed ActiveX controls to Prompt
    • Download unsigned ActiveX controls to Disable
    • Initialize and script ActiveX controls not marked as safe to Disable
    • Installation of desktop items to Prompt
    • Launching programs and files in an IFRAME to Prompt
    • Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Press the Apply button and then the OK to exit the Internet Properties page.
The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.
  • Adaware SE Personal
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
  • Spybot S & D
    Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
    To see how to set this up as well as more spybot features, see here
  • SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
  • IE Spyad
    It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
  • Hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    • Make sure you read the instructions on how to install the hosts file, here.
  • If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a LISTing of some, on line & their stand-alone anti virus programs:
    Computer Safety On line - LIST of free Anti virus programs
  • Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one.
  • Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. (It also colour tags items in your Google Searches)

Last edited by Gary Richardson; 04-15-2006 at 11:13 AM.
Reply With Quote top
Old 04-15-2006, 11:09 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
If you like programs that analyse your system, try Process Explorer by Mark Russinovich, available at
Displays all running processes on your computer and a whole lot more. (Warning: seriously Geeky).

Very informative and powerful tool, can be used to remove all sorts of nasties if used properly. Will also muck up your system totally if used incorrectly, (no backups so don't use for removing Malware unless you REALLY know what you're doing).

RegCleaner is as good as any (I use it), just remember that using any automated cleaner on your registry carries an element of risk. Make a backup of your registry before cleaning, and keep it for a while after you've cleaned just in cas you have any unforeseen problems.

If you don't know how to make a Registry backup let me know and I'll be happy to post instructions.
Reply With Quote top
Old 04-15-2006, 11:16 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4

sage advice, indeed.

mostly i use mozilla. oddly, when i'm going to go to what i think may be a bit of a suspicious site, i use i.e. i know that sounds backwards, but frankly, i'd rather infect i.e. than mozilla, if it's going to happen. i guess that's because i rely on mozilla more than i.e. and try to keep mozilla safe. yes, i know, i need i.e. for windows updates, so, yes, it is a bit screwy

and normally, i have the i.e. settings you recommend already set that way, or very close to it. so, i'm not really sure how i got that trojan...probably downloaded something i shldnt have or actively viewed something i shldnt have. i do recall allowing some activex things on sites i thought i could trust, so maybe it was there. not sure.

and yes, i'm overdue for a windows update. so, that's on my list too.

Reply With Quote top
Old 04-15-2006, 11:27 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
By using No Script with Firefox, you greatly reduce the chances of getting an infection. This bans Javascript by default. Sites are given Javascript priviledges on a site by site basis under your control (a site you determine "safe" can be given it "permanently").

As you're already aware Firefox does not support Active X or WinScript, so the combo of Firefox and No Script gives a very secure browser. (No browser is totally secure).

Been a couple of big security updates on Outlook Express and IE recently, as well as the usual hole plugs in XP, so important you update ASAP.

Have fun, and keep safe.

PS. You can update Windows using Firefox. Either set Security Centre to update Windows on Auto. OR if you prefer a little more control (I do) set it to notify you when new updates occur. When an update occurs, it will throw up a yellow shield icon in your taskbar. Simply click on the shield to get details on the update, select what you want, then allow it to update. No need to go to Windows Update site, and therefore no need to use IE.
Reply With Quote top

  RetouchPRO > Tools > Software

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chuckle for the day (jokes/humourous tales here please) jeaniesa Salon 391 11-26-2006 02:33 AM

All times are GMT -6. The time now is 12:39 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved