Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Windows 2000 Server


  • This topic is locked This topic is locked
28 replies to this topic

#1 wrledebuhr

wrledebuhr

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 05 September 2007 - 11:12 AM

HEre is the Hijack This Log. We know we're infected with the Vundo virus but don't know how to get rid of.
-----------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:59 AM, on 9/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\program files\Strata\strata_agent.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\dlbxcoms.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\SPOOL\DRIVERS\W32X86\3\dlbxPSWX.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\dlbxjswx.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\dlbxPSWX.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\autoruns.exe
C:\WINNT\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {FDA50A5C-59B2-4325-B4CC-62AA85AF8009} - C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKUS\S-1-5-21-1708537768-1343024091-725345543-1006\..\Run: [ctfmon.exe] ctfmon.exe (User 'Christian')
O4 - HKUS\S-1-5-21-1708537768-1343024091-725345543-1013\..\Run: [ctfmon.exe] ctfmon.exe (User 'Dan')
O4 - HKUS\S-1-5-21-1708537768-1343024091-725345543-1015\..\Run: [ctfmon.exe] ctfmon.exe (User 'kevin')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524608F3-CF52-45D0-A0F0-F81C334B0EBA}: NameServer = 4.2.2.2,4.2.2.3
O20 - Winlogon Notify: AutorunsDisabled - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: CLSID - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: gebyv - C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
O23 - Service: dlbx_device - Dell - C:\WINNT\system32\dlbxcoms.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Strata | WinManage Remote Executor (strata_remote) - Unknown owner - c:\program files\Strata\strata_agent.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe

--
End of file - 4858 bytes

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 22 September 2007 - 05:58 AM

Hi wrledebuhr

Create own folder for HijackThis to desktop and move it to that folder

Post back a fresh HijackThis log.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 wrledebuhr

wrledebuhr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 28 September 2007 - 10:18 AM

THIS IS WINDOWS SERVER 2000
First of all, there was a file access error when the VundoFix porgram is running (while trying to delete the bad file). Here is the error message:

"Error: 75. Path/File access error"
C:\....\gebyv.dll could not be deleted, VundoFix will load on reboot to attempt removal.

I have rebooted the machine twice and get the same error message every time. I have ALSO BOOTED TO SAFE MODE and tried deleting the file manually, but get the same error. Using procexp.exe, I see that the .dll has attached itself to Windows Explorer.

--------------------------------------------------------------------

VundoFix V6.5.9

Checking Java version...

Sun Java not detected
Scan started at 7:38:49 AM 9/28/2007

Listing files found while scanning....

C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
C:\WINNT\system32\hlawunjq.dll
C:\WINNT\system32\khfccba.dll
C:\WINNT\system32\lsvrotwy.dll

Beginning removal...

Attempting to delete C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll Could not be deleted.

Performing Repairs to the registry.
Done!
--------------------------------------------------------------------

Here is the Combofix.txt log:

ComboFix 07-09-28.7 - Administrator 09/28/2007 855.1 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.927 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christian\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Christian\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Christian\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\lisa\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\temp\brr
C:\WINNT\cookies.ini
C:\WINNT\system32\b10FdUe
C:\WINNT\system32\cnuntjqg.dll
C:\WINNT\system32\gqjtnunc.ini
C:\WINNT\system32\icy.dll
C:\WINNT\system32\ixianetm.dll
C:\WINNT\system32\wnsapisv32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\nm


((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 08:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_424.dat
2007-09-28 08:05 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-28 07:54 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-09-28 07:38 <DIR> d-------- C:\VundoFix Backups
2007-09-05 08:58 65,536 -r------- C:\WINNT\system32\dlbxcfg.dll
2007-09-05 08:58 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2007-09-05 08:58 12,592 -----c--- C:\WINNT\system32\dllcache\usbscan.sys
2007-09-05 08:22 <DIR> d-------- C:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2007-09-04 09:40 <DIR> d-------- C:\Program Files\LanTricks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
07-09-28 01:19 --------- d-------- C:\Program Files\NAV
07-09-27 08:49 --------- d-------- C:\Program Files\RESUMate for Windows
07-09-05 15:42 --------- d-------- C:\Documents and Settings\Christian\Application Data\AdobeUM
07-09-05 08:58 --------- d-------- C:\Program Files\Dell Photo AIO Printer 962
07-08-22 11:07 --------- d-------- C:\Documents and Settings\lisa\Application Data\Apple Computer
07-08-22 10:59 --------- d-------- C:\Documents and Settings\kevin\Application Data\Apple Computer
07-08-22 10:55 --------- d-------- C:\Documents and Settings\Dan\Application Data\Apple Computer
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --------- C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --------- C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --------- C:\WINNT\system32\wucltui.dll
07-07-30 19:19 271224 --------- C:\WINNT\system32\mucltui.dll
07-07-30 19:19 207736 --------- C:\WINNT\system32\muweb.dll
07-07-30 19:19 203096 --------- C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --------- C:\WINNT\system32\wups.dll
07-03-19 09:19 557056 --------- C:\Documents and Settings\Christian\GoToAssist_phone__317_en.exe
06-11-08 09:25 557056 --------- C:\Documents and Settings\Christian\chatlnk.exe
04-07-13 17:31 37 --------- C:\Documents and Settings\Christian\Application Data\tvmcwrd.dll
04-07-13 08:24 199156 --------- C:\Documents and Settings\Dan\Application Data\tvmknwrd.dll
04-07-13 07:56 199156 --------- C:\Documents and Settings\Christian\Application Data\tvmknwrd.dll
04-07-02 12:07 28 --------- C:\Documents and Settings\lisa\Application Data\tvmcwrd.dll
04-07-02 11:38 192787 --------- C:\Documents and Settings\lisa\Application Data\tvmknwrd.dll
02-04-15 11:20 8981440 --------- C:\Program Files\Adobe Acrobat Reader.exe
02-03-11 17:04 1803848 --------- C:\Program Files\WinZip.exe
02-02-12 11:48 271 ---h----- C:\Program Files\desktop.ini
02-02-12 11:48 21952 ---h----- C:\Program Files\folder.htt
01-06-20 17:19 40960 --------- C:\Program Files\ACMonitor_X83.exe
01-05-08 05:00 32528 --------- C:\WINNT\inf\wbfirdma.sys
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAC1B3D6-9791-4CA4-AD7A-F0729AA948DF}]
07-07-26 14:29 228960 --a------ C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="Atiptaxx.exe" [00-09-05 08:57 C:\WINNT\system32\atiptaxx.exe]
"vptray"="C:\PROGRA~1\NAV\vptray.exe" [01-09-24 07:59 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"NoFileAssociate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll 07-07-26 14:29 228960 C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyv]
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll 07-07-26 14:29 228960 C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli

R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys
R0 stcp2v30;stcp2v30 Driver;C:\WINNT\system32\drivers\stcp2v30.sys
R2 strata_remote;Strata | WinManage Remote Executor;"c:\program files\Strata\strata_agent.exe"
R2 TermServLicensing;Terminal Services Licensing;C:\WINNT\System32\lserver.exe
R2 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys
R3 ati2mpad;ati2mpad;C:\WINNT\system32\DRIVERS\ati2mpad.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 qic157;qic157;C:\WINNT\system32\DRIVERS\qic157.sys
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINNT\system32\Drivers\usbscan.sys
S3 HSFHWCD2;HSFHWCD2;C:\WINNT\system32\DRIVERS\HSFHWCD2.sys
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe
S4 Dfs;Distributed File System;C:\WINNT\system32\Dfssvc.exe
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv

*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 06:03:09 C:\WINNT\Tasks\backup.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-09-24 12:53:47 C:\WINNT\Tasks\Monday.job"
"2007-09-26 08:25:07 C:\WINNT\Tasks\oldserver.job"
"2007-09-27 12:50:52 C:\WINNT\Tasks\thursday.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-09-28 07:58:30 C:\WINNT\Tasks\tuesday.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-09-28 14:42:26 C:\WINNT\Tasks\wednesday.job"
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-09-28 8:16:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-09-28 08:15
.
--- E O F ---
=====================================================
=====================================================

Here is the HiJack This log which was ran after the above two programs were run:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:15 AM, on 9/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\program files\Strata\strata_agent.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CMD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {CAC1B3D6-9791-4CA4-AD7A-F0729AA948DF} - C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524608F3-CF52-45D0-A0F0-F81C334B0EBA}: NameServer = 4.2.2.2,4.2.2.3
O20 - Winlogon Notify: AutorunsDisabled - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: CLSID - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: gebyv - C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
O23 - Service: dlbx_device - Dell - C:\WINNT\system32\dlbxcoms.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Strata | WinManage Remote Executor (strata_remote) - Unknown owner - c:\program files\Strata\strata_agent.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)

--
End of file - 3756 bytes

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 28 September 2007 - 10:42 AM

Hi

HijackThis is still on Desktop.

I already instructed to do this in my previous post:

"Create own folder for HijackThis to desktop and move it to that folder"

After that:

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by Shaba, 28 September 2007 - 10:42 AM.

Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 wrledebuhr

wrledebuhr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 02 October 2007 - 09:25 AM

ComboFix 07-09-28.7 - Administrator 10/02/2007 7:19:54.2 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.720 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE::
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 07:24 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_414.dat
2007-09-28 08:05 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-28 07:54 24,576 --------- C:\WINNT\system32\VundoFixSVC.exe
2007-09-28 07:38 <DIR> d-------- C:\VundoFix Backups
2007-09-05 08:58 65,536 -r------- C:\WINNT\system32\dlbxcfg.dll
2007-09-05 08:58 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2007-09-05 08:58 12,592 -----c--- C:\WINNT\system32\dllcache\usbscan.sys
2007-09-05 08:22 <DIR> d-------- C:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2007-09-04 09:40 <DIR> d-------- C:\Program Files\LanTricks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
07-10-02 01:18 --------- d-------- C:\Program Files\NAV
07-10-01 07:49 --------- d-------- C:\Program Files\RESUMate for Windows
07-09-05 15:42 --------- d-------- C:\Documents and Settings\Christian\Application Data\AdobeUM
07-09-05 08:58 --------- d-------- C:\Program Files\Dell Photo AIO Printer 962
07-08-22 11:07 --------- d-------- C:\Documents and Settings\lisa\Application Data\Apple Computer
07-08-22 10:59 --------- d-------- C:\Documents and Settings\kevin\Application Data\Apple Computer
07-08-22 10:55 --------- d-------- C:\Documents and Settings\Dan\Application Data\Apple Computer
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --------- C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --------- C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --------- C:\WINNT\system32\wucltui.dll
07-07-30 19:19 271224 --------- C:\WINNT\system32\mucltui.dll
07-07-30 19:19 207736 --------- C:\WINNT\system32\muweb.dll
07-07-30 19:19 203096 --------- C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --------- C:\WINNT\system32\wups.dll
07-03-19 09:19 557056 --------- C:\Documents and Settings\Christian\GoToAssist_phone__317_en.exe
06-11-08 09:25 557056 --------- C:\Documents and Settings\Christian\chatlnk.exe
04-07-13 17:31 37 --------- C:\Documents and Settings\Christian\Application Data\tvmcwrd.dll
04-07-13 08:24 199156 --------- C:\Documents and Settings\Dan\Application Data\tvmknwrd.dll
04-07-13 07:56 199156 --------- C:\Documents and Settings\Christian\Application Data\tvmknwrd.dll
04-07-02 12:07 28 --------- C:\Documents and Settings\lisa\Application Data\tvmcwrd.dll
04-07-02 11:38 192787 --------- C:\Documents and Settings\lisa\Application Data\tvmknwrd.dll
02-04-15 11:20 8981440 --------- C:\Program Files\Adobe Acrobat Reader.exe
02-03-11 17:04 1803848 --------- C:\Program Files\WinZip.exe
02-02-12 11:48 271 ---h----- C:\Program Files\desktop.ini
02-02-12 11:48 21952 ---h----- C:\Program Files\folder.htt
01-06-20 17:19 40960 --------- C:\Program Files\ACMonitor_X83.exe
01-05-08 05:00 32528 --------- C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="Atiptaxx.exe" [00-09-05 08:57 C:\WINNT\system32\atiptaxx.exe]
"vptray"="C:\PROGRA~1\NAV\vptray.exe" [01-09-24 07:59 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"NoFileAssociate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyv]
C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli

R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys
R0 stcp2v30;stcp2v30 Driver;C:\WINNT\system32\drivers\stcp2v30.sys
R2 strata_remote;Strata | WinManage Remote Executor;"c:\program files\Strata\strata_agent.exe"
R2 TermServLicensing;Terminal Services Licensing;C:\WINNT\System32\lserver.exe
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys
R3 ati2mpad;ati2mpad;C:\WINNT\system32\DRIVERS\ati2mpad.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 qic157;qic157;C:\WINNT\system32\DRIVERS\qic157.sys
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINNT\system32\Drivers\usbscan.sys
S2 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml
S3 HSFHWCD2;HSFHWCD2;C:\WINNT\system32\DRIVERS\HSFHWCD2.sys
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe
S4 Dfs;Distributed File System;C:\WINNT\system32\Dfssvc.exe
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv

.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 06:03:09 C:\WINNT\Tasks\backup.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-10-01 12:41:37 C:\WINNT\Tasks\Monday.job"
"2007-09-29 08:25:15 C:\WINNT\Tasks\oldserver.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-09-27 12:50:52 C:\WINNT\Tasks\thursday.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-10-02 14:23:53 C:\WINNT\Tasks\tuesday.job"
"2007-09-28 14:42:26 C:\WINNT\Tasks\wednesday.job"
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-10-02 7:27:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-10-02 07:26
C:\ComboFix2.txt ... 07-09-28 08:16
.
--- E O F ---

=============================================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:45 AM, on 10/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\program files\Strata\strata_agent.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524608F3-CF52-45D0-A0F0-F81C334B0EBA}: NameServer = 4.2.2.2,4.2.2.3
O20 - Winlogon Notify: AutorunsDisabled - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: CLSID - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: gebyv - C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll (file missing)
O23 - Service: dlbx_device - Dell - C:\WINNT\system32\dlbxcoms.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Strata | WinManage Remote Executor (strata_remote) - Unknown owner - c:\program files\Strata\strata_agent.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)

--
End of file - 3589 bytes

#6 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 02 October 2007 - 09:28 AM

Hi

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <--- unless you set it
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: CLSID - C:\Documents and Settings\Administrator\WINDOWS\
O20 - Winlogon Notify: gebyv - C:\DOCUME~1\kevin\LOCALS~1\Temp\2\gebyv.dll (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)


Close all windows including browser and press fix checked.

Reboot.

Post a fresh HijackThis log.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#7 wrledebuhr

wrledebuhr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 02 October 2007 - 10:02 AM

NO matter how many times I check that box for VundoFix Service (VundoFixSvc), it never seems to delete....

-----------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:40 AM, on 10/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\program files\Strata\strata_agent.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524608F3-CF52-45D0-A0F0-F81C334B0EBA}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: dlbx_device - Dell - C:\WINNT\system32\dlbxcoms.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Strata | WinManage Remote Executor (strata_remote) - Unknown owner - c:\program files\Strata\strata_agent.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)

--
End of file - 3234 bytes

#8 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 02 October 2007 - 10:05 AM

Hi

Then we do this:

Please click Start > Run and type in: services.msc
Click OK
In the Services window find: VundoFix Service (VundoFixSvc)
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete VundoFixSvc
Click: OK

Now gone?
Microsoft MVP Consumer Security
Posted Image

Posted Image

#9 wrledebuhr

wrledebuhr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 02 October 2007 - 10:11 AM

The service was already stopped but I disabled it. That seemed to do the trick (HiJack log doesn't have it anymore)

When I type in sc ...., it doesn't recognize that command. Ditto if I type it in a command box. What does sc stand for? Alternatives?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:43 AM, on 10/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\program files\Strata\strata_agent.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524608F3-CF52-45D0-A0F0-F81C334B0EBA}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: dlbx_device - Dell - C:\WINNT\system32\dlbxcoms.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Strata | WinManage Remote Executor (strata_remote) - Unknown owner - c:\program files\Strata\strata_agent.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe

--
End of file - 3138 bytes

#10 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 02 October 2007 - 10:15 AM

Hi

My bad, windows 2000 doesn't have sc command (it starts, disables and stops services).

Do you have any problems with internet connection?

I ask because of this:

O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
Microsoft MVP Consumer Security
Posted Image

Posted Image

#11 wrledebuhr

wrledebuhr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 02 October 2007 - 10:18 AM

Right now I think we're ok with our internet connection. I don't think that was ever really an issue but I can check with some of the users. We stopped using IE b/c of the infection but I think we pretty much took care of that. Anything else of concern that you can see?

You guys rock by the way

#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 02 October 2007 - 10:20 AM

Hi

Let's run one online scan to be sure:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#13 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 07 October 2007 - 07:32 AM

wrledebuhr?
Microsoft MVP Consumer Security
Posted Image

Posted Image

#14 wrledebuhr

wrledebuhr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 08 October 2007 - 12:14 PM

I'm scheduling time to deal with this sometime this week. Thank you so much for your help...

#15 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 AM

Posted 08 October 2007 - 12:16 PM

Hi

Ok, take your time :thumbsup:
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users