BleepingComputer.com: newbie needs your expertise on this highjack log

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

newbie needs your expertise on this highjack log

#1 User is offline   kellyaswift 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 08-June 05

Posted 08 June 2005 - 10:51 AM

Sorry...Spelled hijack wrong...long day. I am bombarded with popups. Think I have several problems - Ebates Moneymaker and IBIS Toolbar, among others. But not sure. I've tried Spybot S & D, AdAware, MS Antispyware, and Spy Control - to no avail. Each shows the problem fixed and then it immediately reappears. I would turn off my system restore but I don't know where it or if it exists on Win 2000. I can't get any work done - please help!

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:40 AM, on 6/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\unumkr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyfd32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [dpnhpast] C:\WINNT\system32\dpnhpast.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.79.downloads.estara.com....125421OneCC.cab
O16 - DPF: {6C9BF525-DA4D-4BB6-BD92-47FBDDB42DF5} (TaxCalculator.CTaxer) - http://prod.comcept.net/ActiveX/TaxerCalculator.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.comcept.net/Viewer/activexviewer.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D312963A-D83D-4766-AB92-DD5A30D5EF95} (CMSProdActiveX.XMLLoad) - http://prod.comcept.net/ActiveX/CMSProdActiveX.CAB
O16 - DPF: {F90D47D0-F243-49B3-9E7B-F2D49567E626} (IEPrntCtl Class) - http://prod.comcept.net/ActiveX/IEPrintControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

This post has been edited by kellyaswift: 08 June 2005 - 10:52 AM

#2 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,524
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 09 June 2005 - 12:08 AM

Hello kellyaswift and welcome to BleepingComputer.

Download LQfix.zip.
- Unzip it to your desktop.
- Do not use it yet.

Download FindQoologic.zip.
- Unzip it to your desktop.
- Do not use it yet.

Configure Windows to enable viewing of Hidden and System files.


Reboot into Safe Mode.


Locate LQFix.bat on your desktop.
- Doubleclick on LQFix.bat. A command window will open and close again, that is normal.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyfd32.exe
O4 - HKCU\..\Run: [dpnhpast] C:\WINNT\system32\dpnhpast.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINNT\system32\unumkr.exe <--Files
C:\winnt\system32\eliteyfd32.exe
C:\WINNT\system32\dpnhpast.exe

Reboot normally.

Run Find-Qoologic2.bat.
-This will generate a log file; please post the entire contents of the log file here for me to see.

Also post a fresh HJT log.
Derfram
~~~~~~

#3 User is offline   kellyaswift 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 08-June 05

Posted 09 June 2005 - 08:41 AM

Thank you so much for your help! I've followed your directions and everything went great until I tried to run Find-Qoologic2.bat. I received the following error message:

C:\WINNT\system32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Miscrosoft Windows applications.
Choose 'Close' to terminate the application.

I tried to choose 'Ignore' and it would not allow me to.

However, here is my new HJT log. THANKS AGAIN!


Logfile of HijackThis v1.99.1
Scan saved at 9:40:34 AM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtrp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.79.downloads.estara.com....125421OneCC.cab
O16 - DPF: {6C9BF525-DA4D-4BB6-BD92-47FBDDB42DF5} (TaxCalculator.CTaxer) - http://prod.comcept.net/ActiveX/TaxerCalculator.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.comcept.net/Viewer/activexviewer.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D312963A-D83D-4766-AB92-DD5A30D5EF95} (CMSProdActiveX.XMLLoad) - http://prod.comcept.net/ActiveX/CMSProdActiveX.CAB
O16 - DPF: {F90D47D0-F243-49B3-9E7B-F2D49567E626} (IEPrntCtl Class) - http://prod.comcept.net/ActiveX/IEPrintControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

#4 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,524
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 09 June 2005 - 09:35 AM

Quote

C:\WINNT\system32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Miscrosoft Windows applications.

Fairly common problem.

Download xp_fix.exe to your desktop and run it. Reboot your computer and give Find-Qoologic2.bat another try.
Derfram
~~~~~~

#5 User is offline   kellyaswift 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 08-June 05

Posted 09 June 2005 - 10:12 AM

Done. Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINNT\System32\UNUMKR.EXE
* KavSvc C:\WINNT\System32\OGOHIPZ.DLL
* KavSvc C:\WINNT\System32\SUPDATE.DLL
* aspack C:\WINNT\System32\DODRNCB.EXE
* aspack C:\WINNT\System32\REDIT.CPL
* UPX! C:\WINNT\System32\UCI.EXE
* UPX! C:\WINNT\System32\UNUMKR.EXE
* UPX! C:\WINNT\System32\OGOHIPZ.DLL
* UPX! C:\WINNT\System32\SUPDATE.DLL
* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RTRP.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk
rtrp.exe

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

#6 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,524
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 09 June 2005 - 11:42 AM

It looks like either you didn't copy/paste all the Qoologic log, or you did not allow it to finish. We have enough info to continue, but be sure you get the whole log next time.


Please download the Killbox.
- Unzip it to the desktop.
- Run Killbox.
- Select "Delete on Reboot".

Copy the file names below by highlighting them and pressing Control-C:

C:\WINNT\System32\UNUMKR.EXE
C:\WINNT\System32\OGOHIPZ.DLL
C:\WINNT\System32\SUPDATE.DLL
C:\WINNT\System32\DODRNCB.EXE
C:\WINNT\System32\REDIT.CPL
C:\WINNT\System32\UCI.EXE
C:\WINNT\System32\UNUMKR.EXE
C:\WINNT\System32\OGOHIPZ.DLL
C:\WINNT\System32\SUPDATE.DLL
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtrp.exe

- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Reboot normally once more, then please run and post fresh HJT and Find-Qoologic2 logs.
Derfram
~~~~~~

#7 User is offline   kellyaswift 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 08-June 05

Posted 09 June 2005 - 12:40 PM

Followed your instructions again.

Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:39:34 PM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.79.downloads.estara.com....125421OneCC.cab
O16 - DPF: {6C9BF525-DA4D-4BB6-BD92-47FBDDB42DF5} (TaxCalculator.CTaxer) - http://prod.comcept.net/ActiveX/TaxerCalculator.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.comcept.net/Viewer/activexviewer.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D312963A-D83D-4766-AB92-DD5A30D5EF95} (CMSProdActiveX.XMLLoad) - http://prod.comcept.net/ActiveX/CMSProdActiveX.CAB
O16 - DPF: {F90D47D0-F243-49B3-9E7B-F2D49567E626} (IEPrntCtl Class) - http://prod.comcept.net/ActiveX/IEPrintControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe


THANKS AGAIN!

#8 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,524
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 09 June 2005 - 02:38 PM

The logs look clean kellyaswift. How are things behaving?
Derfram
~~~~~~

#9 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,524
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 16 June 2005 - 12:14 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users