Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan About:Blank startpage HELP!


  • Please log in to reply
17 replies to this topic

#1 whileweburn

whileweburn

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 10 March 2005 - 07:33 PM

I am reposting this because I replied to my own post, and I didnt wanted people thinking Ive been helped! Sorry......anyway


Hey there...I am new to this site, so I thank you in advance for your help. I contracted some sort of trojan start page where my home page is set to about:blank and cannot be set back. If I got to certain sites and login or click links it directs me to about:blank as well. ????

This is a XP professional PC and it has Symantec installed. Symantec finds the problem, but does not fix it.

I then tried all the spyware I could find, registry cleaners. They all found problems but did not fix the problem. Also everytime I would try to fix it I would follow up with a delete cookies/delete temp files\clear history.

The bad file seems to be se.dll

WHAT DO I DO?????HELP!

here is my HIJACKTHIS logfile....PLEASE HELP!

Logfile of HijackThis v1.99.1
Scan saved at 1:19:14 PM, on 3/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\esfnwx.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\SpencerB\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\SpencerB\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\SpencerB\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.c...65498462&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - D:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll (file missing)
O2 - BHO: (no name) - {394C0E34-1575-47C5-8909-AF4DDE039391} - C:\WINDOWS\System32\mhip.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [xtgextb] C:\WINDOWS\System32\esfnwx.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcmcorp.private
O17 - HKLM\Software\..\Telephony: DomainName = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{456849C4-35D5-4615-A133-360D30D6FC6C}: Domain = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD79DDDD-2EF9-4623-A294-CCC2FEFF6817}: Domain = pcmcorp.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcmcorp.private
O18 - Filter: text/html - {6FEF8900-A017-4EC2-91B8-2E0560B97960} - C:\WINDOWS\System32\mhip.dll
O18 - Filter: text/plain - {6FEF8900-A017-4EC2-91B8-2E0560B97960} - C:\WINDOWS\System32\mhip.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


m

#2 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 10 March 2005 - 08:46 PM

hi welcome to the forum, i suggest you print out these instructions and follow the steps one at a time
in the order given here.

you need to Move HijackThis to a permanent folder for it to work properly.

To do this:

Go to My Computer (Windows key + E ), double click on C:
Click File > New > Folder

Name it HijackThis and unzip/move or download the program again to this folder.


Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)


Put a checkmark next to the following entries in HijackThis.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\SpencerB\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\SpencerB\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.c...65498462&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - D:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll (file missing)
O2 - BHO: (no name) - {394C0E34-1575-47C5-8909-AF4DDE039391} - C:\WINDOWS\System32\mhip.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [xtgextb] C:\WINDOWS\System32\esfnwx.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O18 - Filter: text/html - {6FEF8900-A017-4EC2-91B8-2E0560B97960} - C:\WINDOWS\System32\mhip.dll
O18 - Filter: text/plain - {6FEF8900-A017-4EC2-91B8-2E0560B97960} - C:\WINDOWS\System32\mhip.dll
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Make sure all windows and browsers are closed before clicking on “Fix Checked”.



Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\mhip.dll

It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.

currently it is :- O2 - BHO: (no name) - {394C0E34-1575-47C5-8909-AF4DDE039391} - C:\WINDOWS\System32\mhip.dll

Select Unload DLL, and click OK on the prompts that follow.



Then boot up in SAFE MODE

navigate to and delete these files :-


C:\WINDOWS\enhupdt.exe << This file
C:\WINDOWS\satmat.exe << This file
C:\WINDOWS\enhtb.dll << This file
C:\WINDOWS\BTGrab.dll << This file
C:\WINDOWS\System32\esfnwx.exe << This file



now boot up NORMALLY


please download :-

http://www.derbilk.de/SpSeHjfix_Beta6.zip

save it to your desktop.

Start SpSeHjfix_Beta6.exe click on " Desinfecton starten" (the other button means close)
then it wil reboot and finish the cleaning.


Now scan with AdAware to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.

Run Adaware with the following settings:


Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then Click the Advanced Button on the left side to open the Advanced Settings screen. Make sure the following is on with a "green" checkmark:

Move deleted files to Recycle Bin

Others are optional to be checked or unchecked.

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure ll of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Click the "Next" button to start the scan.

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Close Ad-aware.

If Ad-Aware needs to reboot to finish cleaning, please let it.


Please run the following online scan and let it fix everything it finds:

HOUSECALL

Then :-

Download and run
COOLWEBSHREDDER.EXE(standalone version)

Click Fix, don't just scan. Let it fix everything it asks about.

then reboot and post a fresh HJT log.

Edited by bricat, 10 March 2005 - 08:48 PM.


#3 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 11 March 2005 - 02:22 PM

Ok..I did everything you advised, but there were some small issues [or maybe they are not at all].....

When deleting the hijackthis files there were a couple that you listed that were not there.

When in safe mode and searching for files "enhtb.dll" did not come up.

Here is the new logfile. Can I open a browser?



Logfile of HijackThis v1.99.1
Scan saved at 11:19:41 AM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\mobsync.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\WINDOWS\system32\userinit.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcmcorp.private
O17 - HKLM\Software\..\Telephony: DomainName = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{456849C4-35D5-4615-A133-360D30D6FC6C}: Domain = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD79DDDD-2EF9-4623-A294-CCC2FEFF6817}: Domain = pcmcorp.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcmcorp.private
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#4 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 11 March 2005 - 06:03 PM

some of the files will have been removed by HJT, it is ok to open a browser, you just need to close all browsers while you are fixing things with HJT. once they are fixed it is ok to open the browser.

Rerun HJT,and put a tick beside this :-

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll


now close all windows and browsers and click [blue]FIX CHECKED[/blue]


Then boot up in SAFE MODE


then navigate to C:\WINDOWS and delete dlmax.dll


then reboot and post a fresh Hijackthis log.


we're nearly there. :thumbsup:

#5 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 11 March 2005 - 06:46 PM

Okay...done and done. But when I scanned for the file it came up in other area namely the d drive as well. I only deleted the c:/windows.



Logfile of HijackThis v1.99.1
Scan saved at 3:46:17 PM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\windows\system32\esfnwx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\windows\system32\calc.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [esfnwx] c:\windows\system32\esfnwx.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcmcorp.private
O17 - HKLM\Software\..\Telephony: DomainName = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{456849C4-35D5-4615-A133-360D30D6FC6C}: Domain = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD79DDDD-2EF9-4623-A294-CCC2FEFF6817}: Domain = pcmcorp.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcmcorp.private
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#6 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 11 March 2005 - 07:52 PM

i thought we nearly had it cleared. :thumbsup:

Rerun HJT,and put a tick beside these :-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [esfnwx] c:\windows\system32\esfnwx.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

now close all windows and browsers and click [blue]FIX CHECKED[/blue]

Then boot up in SAFE MODE


then navigate to and delete these files :-

c:\windows\system32\esfnwx.exe << This file
C:\WINDOWS\farmmext.exe << This file
C:\WINDOWS\wupdt.exe << This file
C:\WINDOWS\systb.dll << This file
C:\WINDOWS\dlmax.dll << This file

do a search for these files, and delete them wherever you find them.


Now boot up normally.


Download and run
COOLWEBSHREDDER.EXE(standalone version)
Click Fix, don't just scan. Let it fix everything it asks about.


run two online virus scans from any of the following locations and post a summary of their findings in your next reply.

http://www.ravantivirus.com/scan/ - RAV
http://www.pandasoftware.com/activescan/ - Panda
http://www.bitdefender.com/scan/licence.php - BitDefender
http://security.symantec.com/sscv6/default...id=ie&venid=sym - Symantec



then reboot and post a fresh Hijackthis log.

Edited by bricat, 11 March 2005 - 07:54 PM.


#7 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 12 March 2005 - 02:03 AM

Okay.....there was no "systb.dll" and when I searched for dlmax.dll I could only delete the one in the c drive. There was like 6-7 in d drive that would not allow me to. "Cannot read from source file or disk" is what that said.

Rav anti Virus:
Scan started at 3/11/2005 10:25:41 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dc4.exe - TrojanDownloader:Win32/Agent.AE -> Infected

Scanned
============================
Objects: 29965
Directories: 2225
Archives: 971
Size(Kb): 815138
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 48

and Panda anti-virus

Incident Status Location

Adware:Adware/CWS.Aboutblank No disinfected C:\hijackthis\backups\backup-20050311-094435-310.dll
Virus:Trj/Imiserv.D Disinfected C:\hijackthis\backups\backup-20050311-220604-273.dll
Adware:Adware/IPInsight No disinfected C:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dc10.exe
Adware:Adware/IPInsight No disinfected C:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dc11.exe
Virus:Trj/Downloader.GK Disinfected C:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dc4.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\enhtb.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Spyware:Spyware/BetterInet No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\DrTemp\thnall2r.exe
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3319.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3319.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3AFB.tmp\farmmext.cab[farmmext.inf]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3AFB.tmp\farmmext.cab[farmmext.exe]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3AFB.tmp\farmmext.cab[farmmext.ini]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3AFB.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI3AFB.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI5EC1.tmp\farmmext.cab[farmmext.inf]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI5EC1.tmp\farmmext.cab[farmmext.exe]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI5EC1.tmp\farmmext.cab[farmmext.ini]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI5EC1.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI5EC1.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI6B9E.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI6B9E.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI7E5B.tmp\farmmext.cab[farmmext.inf]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI7E5B.tmp\farmmext.cab[farmmext.exe]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI7E5B.tmp\farmmext.cab[farmmext.ini]
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI7E5B.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI7E5B.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI8E0.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\THI8E0.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temp\thnall1r.exe
Adware:Adware/Transponder No disinfected D:\Documents and Settings\SpencerB\Local Settings\Temporary Internet Files\Content.IE5\EYRA9AT0\thnall2r[1].exe
Adware:Adware/IPInsight No disinfected D:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dd5.exe
Adware:Adware/IPInsight No disinfected D:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dd6.exe
Adware:Adware/IPInsight No disinfected D:\RECYCLER\S-1-5-21-1329014790-908879856-632704484-500\Dd7.exe

#8 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 12 March 2005 - 02:08 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:09:19 PM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcmcorp.private
O17 - HKLM\Software\..\Telephony: DomainName = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{456849C4-35D5-4615-A133-360D30D6FC6C}: Domain = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD79DDDD-2EF9-4623-A294-CCC2FEFF6817}: Domain = pcmcorp.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcmcorp.private
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#9 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 12 March 2005 - 09:49 AM

firstly we are going to have edit the registry, we need to make a back up first, to do this :-

registry backup.(very important)

go to START\RUN type in REGEDIT.click OK. when the window opens
click on FILE then EXPORT. call the file REG BACKUP and save to your
DESKTOP.click on SAVE.

then go back into regedit) and navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right delete the ‘susp’, ‘alchem’, ‘satmat’, ‘conscorr’ or ‘farmmext’ entry.

Reboot Windows and delete C:\WINDOWS\farmmext.exe


Rerun HJT,and put a tick beside these :-


O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

now close all windows and browsers and click FIX CHECKED

Then boot up in SAFE MODE


Still in safe mode,
Go to start > run and type: cleanmgr and click ok.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them.
Let it scan your system for these files to remove.

did you install WinVNC. if not let me know and we will remove it.


then reboot and post a fresh Hijackthis log.

Edited by bricat, 12 March 2005 - 09:51 AM.


#10 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 12 March 2005 - 12:31 PM

Okay in regedit, the only file I could find was "farmmext.exe". I deleted that. After rebooting, I searched and could NOT find "farmmext." I then went to hijackthis and the only file that you listed that was present was the VNC server [filemissing] file. I deleted that. REbooted in safemode, and cleaned with cleanmgr.

And after running a search, WinVNC is on this computer.
What is WINVNC?
Also ABOUT:Blank was gone for a little while, and now its back? And as soon as I noticed it back, my wireless network connection started do get interupted, coincidence?

Logfile of HijackThis v1.99.1
Scan saved at 9:28:06 AM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\mobsync.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\WINDOWS\system32\userinit.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcmcorp.private
O17 - HKLM\Software\..\Telephony: DomainName = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{456849C4-35D5-4615-A133-360D30D6FC6C}: Domain = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD79DDDD-2EF9-4623-A294-CCC2FEFF6817}: Domain = pcmcorp.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcmcorp.private
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Edited by whileweburn, 12 March 2005 - 12:43 PM.


#11 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 12 March 2005 - 03:28 PM

if you don't know what winvnc is then you didn't install it. see HERE

go to ADD\remove programs in control panel and remove RealVNC and BulletProofSoft.com


Rerun HJT,and put a tick beside these :-

O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


now close all windows and browsers and click FIX CHECKED


Then boot up in SAFE MODE


then go to C:\Program Files and delete RealVNC<---folder

then go to C:\Program Files and delete BulletProofSoft.com<---folder

then reboot and post a fresh Hijackthis log. and let us know what problems remain.

Edited by bricat, 12 March 2005 - 03:54 PM.


#12 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 12 March 2005 - 05:48 PM

I dont think I should delete it. This is a work/home computer and our tech has that on so that he can edit my computer remotely. Delete anyway?

Is it possible, because I use two networks and the vnc access is only available at the work network that it the hijackthis file says {filemissing} when Im not there?

Edited by whileweburn, 12 March 2005 - 06:01 PM.


#13 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 12 March 2005 - 06:07 PM

leave VNC , and follow the rest of the instructions.

#14 whileweburn

whileweburn
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 12 March 2005 - 07:10 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:10:00 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\WINDOWS\system32\userinit.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcmcorp.private
O17 - HKLM\Software\..\Telephony: DomainName = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{456849C4-35D5-4615-A133-360D30D6FC6C}: Domain = pcmcorp.private
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD79DDDD-2EF9-4623-A294-CCC2FEFF6817}: Domain = pcmcorp.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcmcorp.private
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#15 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 12 March 2005 - 07:35 PM

that looks clean now. :thumbsup:

DISABLE SYSTEM RESTORE
run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point.
this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.

Then

Go to TOOLS\INTERNET OPTIONS. and delete all TEMP INTERNET FILES

Download and run CCLEANER

then defrag your C:\ drive.

to help speed up your system.

I suggest that you also install the following to protect your p.c. in the future:

Spywareblaster & Spywareguard

You don't have to do anything with these programmes apart from update them once a week, they will do the work for you. If you try to download something which contains known spyware, Spywareguard will notify you immediately so you can cancel the download

Here are some links to help you understand spyware and malware.

http://forums.thetechguys.com/showthread.php?t=4544

http://pcstats.com/articleview.cfm?articleID=1579

http://forums.thetechguys.com/showthread.php?t=8859

let us know how the computer is running.

Edited by bricat, 12 March 2005 - 07:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users