Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange popups


  • Please log in to reply
6 replies to this topic

#1 neutrogina

neutrogina

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 24 February 2005 - 11:18 AM

Hi, a month or so ago I picked some offensive popups on my computer that I can`t seem to get rid of. They are either web poker, porn, casino, that type of thing. I use Spywareblaster, AdAware, and Spybot diligently. There are a couple of entries that I remove from AdAware that keep coming back.

Here is the AdAware log:

Ad-Aware SE Build 1.05
Logfile Created on:February 24, 2005 11:07:49 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R28 16.02.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt(TAC index:3):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2-24-05 11:07:49 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 552
ThreadCreationTime : 2-24-05 2:18:51 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 712
ThreadCreationTime : 2-24-05 2:18:53 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 736
ThreadCreationTime : 2-24-05 2:18:56 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 836
ThreadCreationTime : 2-24-05 2:18:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 848
ThreadCreationTime : 2-24-05 2:18:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1032
ThreadCreationTime : 2-24-05 2:18:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1076
ThreadCreationTime : 2-24-05 2:18:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1240
ThreadCreationTime : 2-24-05 2:18:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1264
ThreadCreationTime : 2-24-05 2:18:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1500
ThreadCreationTime : 2-24-05 2:18:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1816
ThreadCreationTime : 2-24-05 2:19:11 PM
BasePriority : Normal


#:12 [cvpnd.exe]
FilePath : C:\Program Files\Cisco Systems\VPN Client\
ProcessID : 1836
ThreadCreationTime : 2-24-05 2:19:11 PM
BasePriority : Normal
FileVersion : 4.0.4 (Rel)
ProductVersion : 4.0.4 (Rel)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco Systems, Inc.
OriginalFilename : CVPND.EXE

#:13 [inorpc.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ProcessID : 1876
ThreadCreationTime : 2-24-05 2:19:11 PM
BasePriority : Normal
FileVersion : 6.0.312.0
ProductVersion : 6.0.312.0
ProductName : InoculateIT
CompanyName : Computer Associates International, Inc.
InternalName : InoRpc.exe
LegalCopyright : Copyright © 1992-2001 Computer Associates International, Inc.
LegalTrademarks : InoculateIT ™ is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InoRpc.exe
Comments : InoculateIT English Version

#:14 [inort.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ProcessID : 1912
ThreadCreationTime : 2-24-05 2:19:11 PM
BasePriority : Normal
FileVersion : 6.0.312.0
ProductVersion : 6.0.312.0
ProductName : InoculateIT
CompanyName : Computer Associates International, Inc.
InternalName : InoRT.dll
LegalCopyright : Copyright © 1992-2001 Computer Associates International, Inc.
LegalTrademarks : InoculateIT ™ is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InoRT.dll
Comments : InoculateIT English Version

#:15 [inotask.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ProcessID : 1972
ThreadCreationTime : 2-24-05 2:19:11 PM
BasePriority : Normal
FileVersion : 6.0.312.0
ProductVersion : 6.0.312.0
ProductName : InoculateIT
CompanyName : Computer Associates International, Inc.
InternalName : InoTask.exe
LegalCopyright : Copyright © 1992-2001 Computer Associates International, Inc.
LegalTrademarks : InoculateIT ™ is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InoTask.exe
Comments : InoculateIT English Version

#:16 [lcfd.exe]
FilePath : c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\
ProcessID : 220
ThreadCreationTime : 2-24-05 2:19:11 PM
BasePriority : Normal


#:17 [logwatnt.exe]
FilePath : C:\WINDOWS\
ProcessID : 372
ThreadCreationTime : 2-24-05 2:19:14 PM
BasePriority : Normal


#:18 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 420
ThreadCreationTime : 2-24-05 2:19:14 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:19 [scardsvr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 456
ThreadCreationTime : 2-24-05 2:19:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management Server
InternalName : SCardSvr.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SCardSvr.exe

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 484
ThreadCreationTime : 2-24-05 2:19:15 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [rcserv.exe]
FilePath : C:\WINDOWS\
ProcessID : 524
ThreadCreationTime : 2-24-05 2:19:15 PM
BasePriority : Normal
FileVersion : 3, 7, 1, 9
ProductVersion : 3, 7, 1, 9
CompanyName : TIVOLI Systems
LegalCopyright : Copyright IBM Corp. © 1996, 2001. All rights reserved.

#:22 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 584
ThreadCreationTime : 2-24-05 2:19:15 PM
BasePriority : Normal
FileVersion : 4.5.097.000
ProductVersion : 4.5.097.000
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:23 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1856
ThreadCreationTime : 2-24-05 2:19:27 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:24 [realmon.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ProcessID : 312
ThreadCreationTime : 2-24-05 2:19:29 PM
BasePriority : Normal
FileVersion : 6.0.312.0
ProductVersion : 6.0.312.0
ProductName : InoculateIT
CompanyName : Computer Associates International, Inc.
InternalName : Realmon.exe
LegalCopyright : Copyright © 1992-2001 Computer Associates International, Inc.
LegalTrademarks : InoculateIT ™ is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : Realmon.exe
Comments : InoculateIT English Version

#:25 [mobile.exe]
FilePath : c:\em\opt\tivoli\lcf\dat\1\Mobile\
ProcessID : 452
ThreadCreationTime : 2-24-05 2:19:29 PM
BasePriority : Normal


#:26 [carpserv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 508
ThreadCreationTime : 2-24-05 2:19:30 PM
BasePriority : Normal
FileVersion : 6.00.09.00
ProductVersion : 6.00.09.00
ProductName : Conexant carpserv
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc. 2003
OriginalFilename : carpserv.exe

#:27 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 532
ThreadCreationTime : 2-24-05 2:19:30 PM
BasePriority : Normal
FileVersion : 5.4.101.113
ProductVersion : 5.4.101.113
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright © 1999-2002 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:28 [realplay.exe]
FilePath : C:\Program Files\RealPlayer\
ProcessID : 1044
ThreadCreationTime : 2-24-05 2:19:30 PM
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:29 [iclient.exe]
FilePath : C:\Program Files\Zone Labs\Integrity Client\
ProcessID : 688
ThreadCreationTime : 2-24-05 2:19:31 PM
BasePriority : Normal
FileVersion : 4.5.097.000
ProductVersion : 4.5.097.000
ProductName : Integrity Client
CompanyName : Zone Labs Inc.
FileDescription : Integrity Client
InternalName : iclient
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : iclient.exe

#:30 [hpwuschd.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ProcessID : 768
ThreadCreationTime : 2-24-05 2:19:31 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : Hewlett-Packard hpwuSchd
CompanyName : Hewlett-Packard
FileDescription : hpwuSchd
InternalName : hpwuSchd
LegalCopyright : Copyright © 2003
OriginalFilename : hpwuSchd.exe

#:31 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ProcessID : 716
ThreadCreationTime : 2-24-05 2:19:31 PM
BasePriority : Normal
FileVersion : 2.1.1.0
ProductVersion : 2.1.4
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright © Hewlett-Packard. 2002-2003
OriginalFilename : HpCmpMgr.exe

#:32 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1188
ThreadCreationTime : 2-24-05 2:19:31 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:33 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 1344
ThreadCreationTime : 2-24-05 2:19:32 PM
BasePriority : Normal
FileVersion : 5.0.1.13
ProductVersion : 5.0.1.13
ProductName : Alps Pointing-device Driver for Windows NT/2000
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000
InternalName : Alps Pointing-device Driver for Windows NT/2000
LegalCopyright : Copyright © 1998-2001 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:34 [hpqtra08.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ProcessID : 1440
ThreadCreationTime : 2-24-05 2:19:32 PM
BasePriority : Normal
FileVersion : 5.35.0.035
ProductVersion : 005.035.000.035
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPQTRA00.EXE
Comments : HP Digital Imaging Monitor (CUE)

#:35 [jabbermessenger.exe]
FilePath : C:\Program Files\Jabber\
ProcessID : 1704
ThreadCreationTime : 2-24-05 2:19:32 PM
BasePriority : Normal


#:36 [erclient.exe]
FilePath : C:\Program Files\eRoom 6\
ProcessID : 1960
ThreadCreationTime : 2-24-05 2:19:33 PM
BasePriority : Normal
FileVersion : 6.04.391.31
ProductVersion : 6.04
ProductName : eRoom
CompanyName : Documentum, Inc.
FileDescription : eRoom File Watcher
InternalName : ERClient
LegalCopyright : Copyright © 1996-2003 Documentum, Inc.
LegalTrademarks : eRoom is a registered trademark of Documentum, Inc.
OriginalFilename : ERClient.exe

#:37 [vpngui.exe]
FilePath : C:\Program Files\Cisco Systems\VPN Client\
ProcessID : 2924
ThreadCreationTime : 2-24-05 2:19:40 PM
BasePriority : Normal
FileVersion : 4.0.4 (Rel)
ProductVersion : 4.0.4 (Rel)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : vpngui
LegalCopyright : Copyright © 1998-2003 Cisco Systems, Inc.
OriginalFilename : VPNGUI.EXE

#:38 [outlook.exe]
FilePath : C:\PROGRA~1\MICROS~2\OFFICE11\
ProcessID : 2416
ThreadCreationTime : 2-24-05 2:20:01 PM
BasePriority : Normal


#:39 [saplogon.exe]
FilePath : C:\Program Files\SAP\FrontEnd\sapgui\
ProcessID : 3132
ThreadCreationTime : 2-24-05 2:59:01 PM
BasePriority : Normal


#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 888
ThreadCreationTime : 2-24-05 3:57:11 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : 63.219.181.7

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : 63.219.181.7
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : 63.219.181.7
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7
Value : http

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 2




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2

11:14:16 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:26.386
Objects scanned:122299
Objects identified:2
Objects ignored:0
New critical objects:2



I have also run a Hijackthis log which I`ve pasted in below:
Any help on this is greatly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 10:53:01 AM, on 2/24/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Jabber\JabberMessenger.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\GZRLL8\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE Canada
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.can.eds.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.shl.com;<local>
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll (file missing)
R3 - URLSearchHook: (no name) - {47644E61-7A81-E2A3-7881-1D512C53D6F7} - SetupExeDll.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\lcf\dat\1\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\lcf\dat\1\Mobile" "c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [Refresh] c:\windows\coe\refresh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2gzrll802] "c:\em\opt\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "c:\em\opt\tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SYSTRAV] mozilla-text.exe
O4 - HKLM\..\Run: [NsCplTray] SpyElim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] keybdll.exe
O4 - HKCU\..\Run: [scanSYS] xsetup.exe
O4 - HKCU\..\Run: [typeconf] ERTYDF.exe
O4 - Startup: EDS EIM.lnk = ?
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://sfweb.cio.eds.com/download/CfxIEAx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwca.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {87A7D186-27E6-11D3-A4CB-00C04F72C232} (SAGraphicView Control) - http://www.gsms-am.eds.com/gsmsps/Appl/sagraphicview.cab
O16 - DPF: {CC93F0F5-9259-4642-94EC-FA5BBBC6981E} (BltPrinter.PrintControl) - http://www.gsms-am.eds.com/gsmsps/Appl/BltPrinter.CAB
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://collaborate5.coe.eds.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D7B9B1C-F686-4E8D-B970-E2642F5E3412}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E12624-4EC5-4F1F-8016-B886D6C7299C}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB84038F-8D98-4A73-8306-A79CF5E07983}: Domain = eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB84038F-8D98-4A73-8306-A79CF5E07983}: NameServer = 205.191.24.78,205.191.22.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eds.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D7B9B1C-F686-4E8D-B970-E2642F5E3412}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eds.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 24 February 2005 - 09:40 PM

Hello neutrogina and Welcome! :thumbsup: (I use your skin care products)
Sorry you're having malware trouble.

First, we need to move HijackThis from:
D:\Documents and Settings\GZRLL8\Desktop\HijackThis.exe
From Windows, please do the following:
Extract HijackThis.exe from the .zip file and save hijackthis on the root of your C:\drive. Double-click on My Computer; double-click on your hard drive, (usually the C:\drive) right-click on a blank area, choose New, choose Folder, name the folder hijackthis. Now, place Hijackthis.exe in this folder.

Please enable all hidden files and folders in Windows. For instructions click here

Download the eScan Antivirus Toolkit here. It is 9.55MB in size.
Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Please configure Ad-Aware SE by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Please do not run a scan with Ad-Aware yet.

Download and install CCleaner here.
Please do not run the CCleaner utility yet.

Please reboot into Safe Mode. For instructions click here

From Safe Mode, Double-click on the mwav.exe file; this will open the eScan program.
1.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.

2.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.

3.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.

4.) Click the Scan Clean (or Scan) button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.

From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

From Safe Mode, open CCleaner, click on Options, Settings, uncheck the box "Only delete files in Windows Temp folders older than 48 hours", click OK. Using the default settings, click Run Cleaner and let it scan for all files and folders. (You'll see the results in the large Progress window.) Click Exit and reboot the PC. Now all the temp files and folders are clean, even your index.dat files are gone.

Reboot PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#3 neutrogina

neutrogina
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 25 February 2005 - 10:14 AM

Hi SirJon, and thanks for your prompt reply! I have completed all of the items. Here is an updated log:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:05 AM, on 2/25/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Jabber\JabberMessenger.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE Canada
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.can.eds.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.shl.com;<local>
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll (file missing)
R3 - URLSearchHook: (no name) - {47644E61-7A81-E2A3-7881-1D512C53D6F7} - SetupExeDll.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\lcf\dat\1\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\lcf\dat\1\Mobile" "c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [Refresh] c:\windows\coe\refresh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2gzrll802] "c:\em\opt\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "c:\em\opt\tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NsCplTray] SpyElim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] keybdll.exe
O4 - HKCU\..\Run: [scanSYS] xsetup.exe
O4 - HKCU\..\Run: [typeconf] ERTYDF.exe
O4 - Startup: EDS EIM.lnk = ?
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://sfweb.cio.eds.com/download/CfxIEAx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwca.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {87A7D186-27E6-11D3-A4CB-00C04F72C232} (SAGraphicView Control) - http://www.gsms-am.eds.com/gsmsps/Appl/sagraphicview.cab
O16 - DPF: {CC93F0F5-9259-4642-94EC-FA5BBBC6981E} (BltPrinter.PrintControl) - http://www.gsms-am.eds.com/gsmsps/Appl/BltPrinter.CAB
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://collaborate5.coe.eds.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D7B9B1C-F686-4E8D-B970-E2642F5E3412}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E12624-4EC5-4F1F-8016-B886D6C7299C}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D7B9B1C-F686-4E8D-B970-E2642F5E3412}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 25 February 2005 - 11:19 PM

Please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll (file missing)
R3 - URLSearchHook: (no name) - {47644E61-7A81-E2A3-7881-1D512C53D6F7} - SetupExeDll.dll (file missing)
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [NsCplTray] SpyElim.exe
O4 - HKCU\..\Run: [prcmon] keybdll.exe
O4 - HKCU\..\Run: [scanSYS] xsetup.exe
O4 - HKCU\..\Run: [typeconf] ERTYDF.exe
O15 - Trusted Zone: http://*.63.219.181.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D7B9B1C-F686-4E8D-B970-E2642F5E3412}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E12624-4EC5-4F1F-8016-B886D6C7299C}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D7B9B1C-F686-4E8D-B970-E2642F5E3412}: NameServer = 69.50.188.180,195.225.176.31


NOTE: Unless you or an administrator set this entry, check this in HJT also:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Programs such as Spybot-S&D and others may have set this also)

Please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.

C:\Program Files\WareOut <----Delete this folder
C:\WINDOWS\System32\wins32t.dll <----Delete this file (If found)
C:\WINDOWS\System32\tss.exe <----Delete this file
keybdll.exe <----Delete this file
xsetup.exe <----Delete this file
ERTYDF.exe <----Delete this file
SpyElim.exe <----Delete this file
clfmon.exe <----Delete this file

Copy the contents of the Quote Box below to Notepad. Name the file as trustedsitesfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]


Now double-click on the trustedsitesfix.reg file and when it prompts to merge, say Yes. This will clear some registry entries left behind by the malware infections.

Open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

Edited by SirJon, 25 February 2005 - 11:35 PM.


#5 neutrogina

neutrogina
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 01 March 2005 - 01:25 PM

Hi SirJon, thanks again for you help. I have done what you asked, except that the files and folders you suggested delete were not there. Everything else was fine. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:29 PM, on 3/01/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\Program Files\Jabber\JabberMessenger.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE Canada
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.can.eds.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.shl.com;<local>
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\lcf\dat\1\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\lcf\dat\1\Mobile" "c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [Refresh] c:\windows\coe\refresh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2gzrll802] "c:\em\opt\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "c:\em\opt\tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: EDS EIM.lnk = ?
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://sfweb.cio.eds.com/download/CfxIEAx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwca.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {87A7D186-27E6-11D3-A4CB-00C04F72C232} (SAGraphicView Control) - http://www.gsms-am.eds.com/gsmsps/Appl/sagraphicview.cab
O16 - DPF: {CC93F0F5-9259-4642-94EC-FA5BBBC6981E} (BltPrinter.PrintControl) - http://www.gsms-am.eds.com/gsmsps/Appl/BltPrinter.CAB
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://collaborate5.coe.eds.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.corp.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 01 March 2005 - 02:53 PM

Nice Work! :thumbsup:

Your log is clean. You have some unusual software installed, but I don't see any more references to malware.

Edited by SirJon, 01 March 2005 - 02:54 PM.


#7 bastos_mau

bastos_mau

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 18 March 2005 - 12:30 PM

I also found out that when you connect again to Internet, the 69.50.188.180 values are restored in the registry.

Next, I found that it keeps a DNS record in rasphone.pbk , usually at C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users