Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware problems with SmartSecurity & SlimShield


  • Please log in to reply
11 replies to this topic

#1 Mike_in_Oz

Mike_in_Oz

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 29 March 2005 - 06:37 AM

Hi

I got hit with a bad trojan yesterday (I think it was a Haxdoor trojan) and a bucket load of Spyware. I've been in damage control mode since then!
I think I've cleaned everything up as best I can. My problem now is that my desktop keeps getting taken over by a popup from SmartShield. But when I remove that html file I get a popup from SlimShield!!

I attach my HiJackThis log.

Hope you guys can help. Thanks.

Mike
:thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:24 PM, on 3/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\Sni.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ixchwn] C:\WINDOWS\ixchwn.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Rkd] C:\WINDOWS\Gcq.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Csh] C:\WINDOWS\Npd.exe
O4 - HKLM\..\Run: [Uip] C:\WINDOWS\System32\Tma.exe
O4 - HKLM\..\Run: [Ktc] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Dgn] C:\WINDOWS\Duv.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Gea.exe
O4 - HKLM\..\Run: [Pec] C:\WINDOWS\Lob.exe
O4 - HKLM\..\Run: [Etd] C:\WINDOWS\Lee.exe
O4 - HKLM\..\Run: [Ord] C:\WINDOWS\System32\Tpm.exe
O4 - HKLM\..\Run: [Ccj] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Tsb] C:\WINDOWS\Ouh.exe
O4 - HKLM\..\Run: [Ckg] C:\WINDOWS\Lbl.exe
O4 - HKLM\..\Run: [Dhb] C:\WINDOWS\System32\Tgg.exe
O4 - HKLM\..\Run: [Nue] C:\WINDOWS\System32\Bhq.exe
O4 - HKLM\..\Run: [Ekp] C:\WINDOWS\System32\Tlo.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Uuo] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Mii] C:\WINDOWS\Tfq.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\System32\Pot.exe
O4 - HKLM\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKLM\..\Run: [Oak] C:\WINDOWS\System32\Seu.exe
O4 - HKLM\..\Run: [Asi] C:\WINDOWS\System32\Eqp.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\Rso.exe
O4 - HKLM\..\Run: [Anr] C:\WINDOWS\Fqt.exe
O4 - HKLM\..\Run: [Phb] C:\WINDOWS\System32\Sni.exe
O4 - HKLM\..\Run: [Mpe] C:\WINDOWS\Atm.exe
O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKLM\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKLM\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKLM\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKLM\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKLM\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKLM\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKLM\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKLM\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKLM\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKLM\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKLM\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKLM\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKLM\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKLM\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKLM\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKLM\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKLM\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKLM\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKLM\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKLM\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKLM\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKLM\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKLM\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKLM\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKLM\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKLM\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKLM\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKLM\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKLM\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKLM\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKLM\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKCU\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKCU\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKCU\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKCU\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKCU\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKCU\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKCU\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKCU\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKCU\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKCU\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKCU\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKCU\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKCU\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKCU\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKCU\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKCU\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKCU\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKCU\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKCU\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKCU\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKCU\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKCU\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKCU\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKCU\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKCU\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKCU\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKCU\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKCU\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKCU\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: iManage DeskSite.lnk = C:\Program Files\iManage\Manage32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.gtlaw.com.au/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://docs.gtlaw.com.au/worksite/bin/iManFile.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brco.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\Software\..\Telephony: DomainName = sydney.gtlaw.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\TNGSD\BIN\SDSERV.EXE

BC AdBot (Login to Remove)

 


#2 Mike_in_Oz

Mike_in_Oz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 29 March 2005 - 07:10 AM

Sorry - I forgot to run Spybot and Noadware before I sent thru my HiJackThis log which I've now done. Here's the latest log:

Also I meant to add that I am unable to use my right-mouse on my desktop - I think the SmartSecurity popup has hijacked my Desktop too as I'm unable to change the desktop in Display Properties. Part of the same problem I think??

Thanks

Mike
:thumbsup:



Logfile of HijackThis v1.99.1
Scan saved at 10:06:46 PM, on 3/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\Sni.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Spyware Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ixchwn] C:\WINDOWS\ixchwn.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Rkd] C:\WINDOWS\Gcq.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Csh] C:\WINDOWS\Npd.exe
O4 - HKLM\..\Run: [Uip] C:\WINDOWS\System32\Tma.exe
O4 - HKLM\..\Run: [Ktc] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Dgn] C:\WINDOWS\Duv.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Gea.exe
O4 - HKLM\..\Run: [Pec] C:\WINDOWS\Lob.exe
O4 - HKLM\..\Run: [Etd] C:\WINDOWS\Lee.exe
O4 - HKLM\..\Run: [Ord] C:\WINDOWS\System32\Tpm.exe
O4 - HKLM\..\Run: [Ccj] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Tsb] C:\WINDOWS\Ouh.exe
O4 - HKLM\..\Run: [Ckg] C:\WINDOWS\Lbl.exe
O4 - HKLM\..\Run: [Dhb] C:\WINDOWS\System32\Tgg.exe
O4 - HKLM\..\Run: [Nue] C:\WINDOWS\System32\Bhq.exe
O4 - HKLM\..\Run: [Ekp] C:\WINDOWS\System32\Tlo.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Uuo] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Mii] C:\WINDOWS\Tfq.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\System32\Pot.exe
O4 - HKLM\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKLM\..\Run: [Oak] C:\WINDOWS\System32\Seu.exe
O4 - HKLM\..\Run: [Asi] C:\WINDOWS\System32\Eqp.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\Rso.exe
O4 - HKLM\..\Run: [Anr] C:\WINDOWS\Fqt.exe
O4 - HKLM\..\Run: [Phb] C:\WINDOWS\System32\Sni.exe
O4 - HKLM\..\Run: [Mpe] C:\WINDOWS\Atm.exe
O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKLM\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKLM\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKLM\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKLM\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKLM\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKLM\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKLM\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKLM\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKLM\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKLM\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKLM\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKLM\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKLM\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKLM\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKLM\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKLM\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKLM\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKLM\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKLM\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKLM\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKLM\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKLM\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKLM\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKLM\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKLM\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKLM\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKLM\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKLM\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKLM\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKLM\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKLM\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKLM\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKLM\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKLM\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKCU\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKCU\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKCU\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKCU\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKCU\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKCU\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKCU\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKCU\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKCU\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKCU\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKCU\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKCU\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKCU\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKCU\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKCU\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKCU\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKCU\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKCU\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKCU\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKCU\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKCU\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKCU\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKCU\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKCU\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKCU\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKCU\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKCU\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKCU\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKCU\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKCU\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKCU\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKCU\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: iManage DeskSite.lnk = C:\Program Files\iManage\Manage32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.gtlaw.com.au/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://docs.gtlaw.com.au/worksite/bin/iManFile.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brco.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\Software\..\Telephony: DomainName = sydney.gtlaw.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\TNGSD\BIN\SDSERV.EXE

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:17 AM

Posted 29 March 2005 - 01:57 PM

Hi,

Before we proceed... could you first perform an onlinescan with bitdefender?
http://www.bitdefender.com/scan/licence.php

Reboot afterwards and post a new log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Mike_in_Oz

Mike_in_Oz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 29 March 2005 - 04:47 PM

OK have run a scan with BitDefender. The trojan infections look worse than I thought! Also attach another HiJackThis log below.

Thanks.

Mike
:thumbsup:
=======================================

BitDefender report.

Scanned Finished. Scanned Objects: 338466 Infected Objects: 81 Time: 00:43:32


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>related.htm: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazefindSearchRelevancy.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazefindSearchRelevancy.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazefindSearchRelevancy1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazefindSearchRelevancy1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazefindSearchRelevancy2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazefindSearchRelevancy2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{14E3008B-B148-4483-8445-6663F19F0CFB}/SVCHOST.DLL: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{14E3008B-B148-4483-8445-6663F19F0CFB}/SVCHOST.EXE: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{14E3008B-B148-4483-8445-6663F19F0CFB}/SVCHOST32.DLL: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{C9C46AC5-3C79-46CA-A266-3A3B50DDCB26}/SVCHOST.DLL: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{C9C46AC5-3C79-46CA-A266-3A3B50DDCB26}/SVCHOST.EXE: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{C9C46AC5-3C79-46CA-A266-3A3B50DDCB26}/SVCHOST32.DLL: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>{C9C46AC5-3C79-46CA-A266-3A3B50DDCB26}/Update.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\EffectiveBandToolbar.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\EffectiveBandToolbar.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HaxdoorH.zip=>i.a3d: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HaxdoorH.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HaxdoorH1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HaxdoorH1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HaxdoorH2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HaxdoorH2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechPowerScan.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechPowerScan.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind5.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind6.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind7.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind8.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSideFind8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NoAdware.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NoAdware.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome.zip=>sporder_.dll: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome1.zip=>setup.inf: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome2.zip=>WEBInstaller.dll: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyHunter.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Start Menu\Programs\Computer Associates\Unicenter\ServicePlus Service Desk\Documentation\Install Acrobat Reader.lnk=>C:\Program Files\CA\Unicenter ServicePlus Service Desk\doc\acrobat\AcroReader51_ENU_full.exe=>(CAB Sfx o)=>\Reader\Agm.dll: bad crc
C:\Program Files\CA\eTrust Antivirus\Move\d3fd7df0-985d-4dc7-bec4-36b392fda7aa.AVB: infected with Trojan.Downloader.Small.WV
C:\Program Files\CA\eTrust Antivirus\Move\d3fd7df0-985d-4dc7-bec4-36b392fda7aa.AVB: disinfection failed
C:\Program Files\Outlook Connector for Domino\PABImport.EXE: suspect Win32.VB.Gen
C:\Program Files\Outlook Connector for Domino\PABImport.EXE: disinfection failed
C:\Program Files\Outlook Connector for Domino\private\PABImport.EXE: suspect Win32.VB.Gen
C:\Program Files\Outlook Connector for Domino\private\PABImport.EXE: disinfection failed
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Game Time : 4:35pm this Sat][From: Tom Henderson-Brooks]=>(body)=>(Compressed Rtf): suspect Exploit.Iframe.Vulnerability
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Game Time : 4:35pm this Sat][From: Tom Henderson-Brooks]=>(body)=>(Compressed Rtf): disinfection failed
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Mail Delivery (failure solomons@bigpond.net.au)][From: i66c33@75e6.bf]=>(body)=>(Compressed Rtf): suspect Exploit.Iframe.Vulnerability
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Mail Delivery (failure solomons@bigpond.net.au)][From: i66c33@75e6.bf]=>(body)=>(Compressed Rtf): disinfection failed
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Mail Delivery (failure solomons@bigpond.net.au)][From: ilana_l@netvision.net.il]=>(body)=>(Compressed Rtf): suspect Exploit.Iframe.Vulnerability
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Mail Delivery (failure solomons@bigpond.net.au)][From: ilana_l@netvision.net.il]=>(body)=>(Compressed Rtf): disinfection failed
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Mail Delivery (failure solomons@bigpond.net.au)][From: yun.ung@universalmccann.com.au]=>(body)=>(Compressed Rtf): suspect Exploit.Iframe.Vulnerability
C:\Solomons\Mike Backup D4100 Home PC\Leanne\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Mail Delivery (failure solomons@bigpond.net.au)][From: yun.ung@universalmccann.com.au]=>(body)=>(Compressed Rtf): disinfection failed
C:\sp.exe: infected with Trojan.NSearch.A
C:\sp.exe: disinfection failed
C:\WINDOWS\Aol.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Aol.exe: disinfection failed
C:\WINDOWS\Api.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Api.exe: disinfection failed
C:\WINDOWS\Atm.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Atm.exe: disinfection failed
C:\WINDOWS\Bdi.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Bdi.exe: disinfection failed
C:\WINDOWS\Bou.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Bou.exe: disinfection failed
C:\WINDOWS\Dgu.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Dgu.exe: disinfection failed
C:\WINDOWS\Dlo.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Dlo.exe: disinfection failed
C:\WINDOWS\Dpv.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Dpv.exe: disinfection failed
C:\WINDOWS\Duv.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Duv.exe: disinfection failed
C:\WINDOWS\Ejj.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Ejj.exe: disinfection failed
C:\WINDOWS\Fhr.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Fhr.exe: disinfection failed
C:\WINDOWS\Fqt.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Fqt.exe: disinfection failed
C:\WINDOWS\Gcq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Gcq.exe: disinfection failed
C:\WINDOWS\Gea.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Gea.exe: disinfection failed
C:\WINDOWS\Hpn.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Hpn.exe: disinfection failed
C:\WINDOWS\Hrl.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Hrl.exe: disinfection failed
C:\WINDOWS\Ifr.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Ifr.exe: disinfection failed
C:\WINDOWS\Ipk.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Ipk.exe: disinfection failed
C:\WINDOWS\Lbl.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Lbl.exe: disinfection failed
C:\WINDOWS\Lee.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Lee.exe: disinfection failed
C:\WINDOWS\Lmq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Lmq.exe: disinfection failed
C:\WINDOWS\Lob.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Lob.exe: disinfection failed
C:\WINDOWS\ms2.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\ms2.exe: disinfection failed
C:\WINDOWS\ms4.exe: suspect Trojan.Dropper.Microjoin.J
C:\WINDOWS\ms4.exe: disinfection failed
C:\WINDOWS\Ncv.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Ncv.exe: disinfection failed
C:\WINDOWS\Npd.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Npd.exe: disinfection failed
C:\WINDOWS\Odd.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Odd.exe: disinfection failed
C:\WINDOWS\Olp.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Olp.exe: disinfection failed
C:\WINDOWS\Ouh.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Ouh.exe: disinfection failed
C:\WINDOWS\Pqs.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Pqs.exe: disinfection failed
C:\WINDOWS\Qmt.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Qmt.exe: disinfection failed
C:\WINDOWS\Rjn.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Rjn.exe: disinfection failed
C:\WINDOWS\Rso.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Rso.exe: disinfection failed
C:\WINDOWS\system32\And.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\And.exe: disinfection failed
C:\WINDOWS\system32\Bde.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Bde.exe: disinfection failed
C:\WINDOWS\system32\Bhf.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Bhf.exe: disinfection failed
C:\WINDOWS\system32\Bhq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Bhq.exe: disinfection failed
C:\WINDOWS\system32\Bmt.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Bmt.exe: disinfection failed
C:\WINDOWS\system32\Cdf.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Cdf.exe: disinfection failed
C:\WINDOWS\system32\Chq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Chq.exe: disinfection failed
C:\WINDOWS\system32\Daa.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Daa.exe: disinfection failed
C:\WINDOWS\system32\Dbi.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Dbi.exe: disinfection failed
C:\WINDOWS\system32\Drn.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Drn.exe: disinfection failed
C:\WINDOWS\system32\Egg.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Egg.exe: disinfection failed
C:\WINDOWS\system32\Ehh.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Ehh.exe: disinfection failed
C:\WINDOWS\system32\Eqp.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Eqp.exe: disinfection failed
C:\WINDOWS\system32\Hkn.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Hkn.exe: disinfection failed
C:\WINDOWS\system32\Iab.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Iab.exe: disinfection failed
C:\WINDOWS\system32\Iim.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Iim.exe: disinfection failed
C:\WINDOWS\system32\Irf.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Irf.exe: disinfection failed
C:\WINDOWS\system32\Mdo.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Mdo.exe: disinfection failed
C:\WINDOWS\system32\Mou.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Mou.exe: disinfection failed
C:\WINDOWS\system32\Nfp.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Nfp.exe: disinfection failed
C:\WINDOWS\system32\Njg.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Njg.exe: disinfection failed
C:\WINDOWS\system32\Ogm.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Ogm.exe: disinfection failed
C:\WINDOWS\system32\Ovq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Ovq.exe: disinfection failed
C:\WINDOWS\system32\Pot.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Pot.exe: disinfection failed
C:\WINDOWS\system32\Qdo.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Qdo.exe: disinfection failed
C:\WINDOWS\system32\Rub.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Rub.exe: disinfection failed
C:\WINDOWS\system32\Scq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Scq.exe: disinfection failed
C:\WINDOWS\system32\Seu.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Seu.exe: disinfection failed
C:\WINDOWS\system32\Sni.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Sni.exe: disinfection failed
C:\WINDOWS\system32\Spf.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Spf.exe: disinfection failed
C:\WINDOWS\system32\spoolvse.exe: infected with Backdoor.RBot.F6EE7CE8
C:\WINDOWS\system32\spoolvse.exe: disinfection failed
C:\WINDOWS\system32\Sqe.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Sqe.exe: disinfection failed
C:\WINDOWS\system32\Ssh.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Ssh.exe: disinfection failed
C:\WINDOWS\system32\Tap.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Tap.exe: disinfection failed
C:\WINDOWS\system32\Tgg.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Tgg.exe: disinfection failed
C:\WINDOWS\system32\Tlo.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Tlo.exe: disinfection failed
C:\WINDOWS\system32\Tma.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Tma.exe: disinfection failed
C:\WINDOWS\system32\Tob.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Tob.exe: disinfection failed
C:\WINDOWS\system32\Tpm.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Tpm.exe: disinfection failed
C:\WINDOWS\system32\Uke.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Uke.exe: disinfection failed
C:\WINDOWS\system32\Upf.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Upf.exe: disinfection failed
C:\WINDOWS\system32\Vbu.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\system32\Vbu.exe: disinfection failed
C:\WINDOWS\system32\x3yy\hmgognhc.exe: infected with Dropped:Trojan.Iyus.FAM
C:\WINDOWS\system32\x3yy\hmgognhc.exe: disinfection failed
C:\WINDOWS\Tcu.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Tcu.exe: disinfection failed
C:\WINDOWS\Tfq.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Tfq.exe: disinfection failed
C:\WINDOWS\Ves.exe: infected with Trojan.Clicker.Spywad.B
C:\WINDOWS\Ves.exe: disinfection failed
C:\WINDOWS\wsem303.dll: infected with Trojan.Downloader.Dyfuca.DT
C:\WINDOWS\wsem303.dll: disinfection failed

====================

Logfile of HijackThis v1.99.1
Scan saved at 7:45:47 AM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\WINDOWS\System32\spoolvse.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\Gcq.exe
C:\WINDOWS\System32\ntddetect.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Spyware Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ixchwn] C:\WINDOWS\ixchwn.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Rkd] C:\WINDOWS\Gcq.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Csh] C:\WINDOWS\Npd.exe
O4 - HKLM\..\Run: [Uip] C:\WINDOWS\System32\Tma.exe
O4 - HKLM\..\Run: [Ktc] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Dgn] C:\WINDOWS\Duv.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Gea.exe
O4 - HKLM\..\Run: [Pec] C:\WINDOWS\Lob.exe
O4 - HKLM\..\Run: [Etd] C:\WINDOWS\Lee.exe
O4 - HKLM\..\Run: [Ord] C:\WINDOWS\System32\Tpm.exe
O4 - HKLM\..\Run: [Ccj] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Tsb] C:\WINDOWS\Ouh.exe
O4 - HKLM\..\Run: [Ckg] C:\WINDOWS\Lbl.exe
O4 - HKLM\..\Run: [Dhb] C:\WINDOWS\System32\Tgg.exe
O4 - HKLM\..\Run: [Nue] C:\WINDOWS\System32\Bhq.exe
O4 - HKLM\..\Run: [Ekp] C:\WINDOWS\System32\Tlo.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Uuo] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Mii] C:\WINDOWS\Tfq.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\System32\Pot.exe
O4 - HKLM\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKLM\..\Run: [Oak] C:\WINDOWS\System32\Seu.exe
O4 - HKLM\..\Run: [Asi] C:\WINDOWS\System32\Eqp.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\Rso.exe
O4 - HKLM\..\Run: [Anr] C:\WINDOWS\Fqt.exe
O4 - HKLM\..\Run: [Phb] C:\WINDOWS\System32\Sni.exe
O4 - HKLM\..\Run: [Mpe] C:\WINDOWS\Atm.exe
O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKLM\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKLM\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKLM\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKLM\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKLM\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKLM\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKLM\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKLM\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKLM\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKLM\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKLM\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKLM\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKLM\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKLM\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKLM\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKLM\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKLM\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKLM\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKLM\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKLM\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKLM\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKLM\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKLM\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKLM\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKLM\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKLM\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKLM\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKLM\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKLM\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKLM\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKLM\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKLM\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKLM\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKLM\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKLM\..\Run: [Nep] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Hmk] C:\WINDOWS\System32\Mdo.exe
O4 - HKLM\..\Run: [Gba] C:\WINDOWS\System32\Hkn.exe
O4 - HKLM\..\Run: [Cao] C:\WINDOWS\Nej.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKCU\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKCU\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKCU\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKCU\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKCU\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKCU\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKCU\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKCU\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKCU\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKCU\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKCU\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKCU\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKCU\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKCU\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKCU\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKCU\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKCU\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKCU\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKCU\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKCU\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKCU\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKCU\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKCU\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKCU\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKCU\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKCU\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKCU\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKCU\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKCU\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKCU\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKCU\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKCU\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKCU\..\Run: [Nep] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Hmk] C:\WINDOWS\System32\Mdo.exe
O4 - HKCU\..\Run: [Gba] C:\WINDOWS\System32\Hkn.exe
O4 - HKCU\..\Run: [Cao] C:\WINDOWS\Nej.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: iManage DeskSite.lnk = C:\Program Files\iManage\Manage32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.gtlaw.com.au/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://docs.gtlaw.com.au/worksite/bin/iManFile.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brco.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\Software\..\Telephony: DomainName = sydney.gtlaw.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\TNGSD\BIN\SDSERV.EXE

#5 Mike_in_Oz

Mike_in_Oz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 29 March 2005 - 05:02 PM

I didn't reboot before my last HiJackThis log so he's the latest one.
Many thanks.

=========================

Logfile of HijackThis v1.99.1
Scan saved at 8:02:14 AM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\WINDOWS\System32\spoolvse.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\Gcq.exe
C:\WINDOWS\System32\ntddetect.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Spyware Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ixchwn] C:\WINDOWS\ixchwn.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Rkd] C:\WINDOWS\Gcq.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Csh] C:\WINDOWS\Npd.exe
O4 - HKLM\..\Run: [Uip] C:\WINDOWS\System32\Tma.exe
O4 - HKLM\..\Run: [Ktc] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Dgn] C:\WINDOWS\Duv.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Gea.exe
O4 - HKLM\..\Run: [Pec] C:\WINDOWS\Lob.exe
O4 - HKLM\..\Run: [Etd] C:\WINDOWS\Lee.exe
O4 - HKLM\..\Run: [Ord] C:\WINDOWS\System32\Tpm.exe
O4 - HKLM\..\Run: [Ccj] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Tsb] C:\WINDOWS\Ouh.exe
O4 - HKLM\..\Run: [Ckg] C:\WINDOWS\Lbl.exe
O4 - HKLM\..\Run: [Dhb] C:\WINDOWS\System32\Tgg.exe
O4 - HKLM\..\Run: [Nue] C:\WINDOWS\System32\Bhq.exe
O4 - HKLM\..\Run: [Ekp] C:\WINDOWS\System32\Tlo.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Uuo] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Mii] C:\WINDOWS\Tfq.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\System32\Pot.exe
O4 - HKLM\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKLM\..\Run: [Oak] C:\WINDOWS\System32\Seu.exe
O4 - HKLM\..\Run: [Asi] C:\WINDOWS\System32\Eqp.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\Rso.exe
O4 - HKLM\..\Run: [Anr] C:\WINDOWS\Fqt.exe
O4 - HKLM\..\Run: [Phb] C:\WINDOWS\System32\Sni.exe
O4 - HKLM\..\Run: [Mpe] C:\WINDOWS\Atm.exe
O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKLM\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKLM\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKLM\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKLM\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKLM\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKLM\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKLM\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKLM\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKLM\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKLM\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKLM\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKLM\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKLM\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKLM\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKLM\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKLM\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKLM\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKLM\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKLM\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKLM\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKLM\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKLM\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKLM\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKLM\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKLM\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKLM\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKLM\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKLM\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKLM\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKLM\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKLM\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKLM\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKLM\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKLM\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKLM\..\Run: [Nep] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Hmk] C:\WINDOWS\System32\Mdo.exe
O4 - HKLM\..\Run: [Gba] C:\WINDOWS\System32\Hkn.exe
O4 - HKLM\..\Run: [Cao] C:\WINDOWS\Nej.exe
O4 - HKLM\..\Run: [Nkt] C:\WINDOWS\System32\Ndo.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKCU\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKCU\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKCU\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKCU\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKCU\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKCU\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKCU\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKCU\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKCU\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKCU\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKCU\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKCU\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKCU\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKCU\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKCU\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKCU\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKCU\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKCU\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKCU\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKCU\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKCU\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKCU\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKCU\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKCU\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKCU\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKCU\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKCU\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKCU\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKCU\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKCU\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKCU\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKCU\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKCU\..\Run: [Nep] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Hmk] C:\WINDOWS\System32\Mdo.exe
O4 - HKCU\..\Run: [Gba] C:\WINDOWS\System32\Hkn.exe
O4 - HKCU\..\Run: [Cao] C:\WINDOWS\Nej.exe
O4 - HKCU\..\Run: [Nkt] C:\WINDOWS\System32\Ndo.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: iManage DeskSite.lnk = C:\Program Files\iManage\Manage32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.gtlaw.com.au/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://docs.gtlaw.com.au/worksite/bin/iManFile.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brco.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\Software\..\Telephony: DomainName = sydney.gtlaw.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\TNGSD\BIN\SDSERV.EXE

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:17 AM

Posted 29 March 2005 - 05:40 PM

Hi Mike,

Seems like bitdefender flags the files but couldn't get rid of it, so we have to delete them manually in safe mode.
So I suggest you to print out the next instructions, because you have to work in safe mode too and this page wouldn't be available then.
Also, open your spybot s&d, choose the option Recovery and delete everything what's in there. Do the same for your Etrust.
It seems like some mails were infected too, so delete them.
Be carefull when you get mails with the subject: Mail Delivery failure!!

* Download and install CCleaner
Do not use it yet.

* Please set your system to show
all files; please see here if you're unsure how to do this.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ixchwn] C:\WINDOWS\ixchwn.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Rkd] C:\WINDOWS\Gcq.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Csh] C:\WINDOWS\Npd.exe
O4 - HKLM\..\Run: [Uip] C:\WINDOWS\System32\Tma.exe
O4 - HKLM\..\Run: [Ktc] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Dgn] C:\WINDOWS\Duv.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Gea.exe
O4 - HKLM\..\Run: [Pec] C:\WINDOWS\Lob.exe
O4 - HKLM\..\Run: [Etd] C:\WINDOWS\Lee.exe
O4 - HKLM\..\Run: [Ord] C:\WINDOWS\System32\Tpm.exe
O4 - HKLM\..\Run: [Ccj] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Tsb] C:\WINDOWS\Ouh.exe
O4 - HKLM\..\Run: [Ckg] C:\WINDOWS\Lbl.exe
O4 - HKLM\..\Run: [Dhb] C:\WINDOWS\System32\Tgg.exe
O4 - HKLM\..\Run: [Nue] C:\WINDOWS\System32\Bhq.exe
O4 - HKLM\..\Run: [Ekp] C:\WINDOWS\System32\Tlo.exe
O4 - HKLM\..\Run: [Uuo] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Mii] C:\WINDOWS\Tfq.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\System32\Pot.exe
O4 - HKLM\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKLM\..\Run: [Oak] C:\WINDOWS\System32\Seu.exe
O4 - HKLM\..\Run: [Asi] C:\WINDOWS\System32\Eqp.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\Rso.exe
O4 - HKLM\..\Run: [Anr] C:\WINDOWS\Fqt.exe
O4 - HKLM\..\Run: [Phb] C:\WINDOWS\System32\Sni.exe
O4 - HKLM\..\Run: [Mpe] C:\WINDOWS\Atm.exe
O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKLM\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKLM\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKLM\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKLM\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKLM\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKLM\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKLM\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKLM\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKLM\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKLM\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKLM\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKLM\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKLM\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKLM\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKLM\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKLM\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKLM\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKLM\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKLM\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKLM\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKLM\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKLM\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKLM\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKLM\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKLM\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKLM\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKLM\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKLM\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKLM\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKLM\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKLM\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKLM\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKLM\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKLM\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKLM\..\Run: [Nep] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Hmk] C:\WINDOWS\System32\Mdo.exe
O4 - HKLM\..\Run: [Gba] C:\WINDOWS\System32\Hkn.exe
O4 - HKLM\..\Run: [Cao] C:\WINDOWS\Nej.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Cpg] C:\WINDOWS\Ifr.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Vbu.exe
O4 - HKCU\..\Run: [Odt] C:\WINDOWS\System32\Mou.exe
O4 - HKCU\..\Run: [Tjv] C:\WINDOWS\System32\Cdf.exe
O4 - HKCU\..\Run: [Uat] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Jdi] C:\WINDOWS\Pqs.exe
O4 - HKCU\..\Run: [Aln] C:\WINDOWS\System32\Qdo.exe
O4 - HKCU\..\Run: [Dii] C:\WINDOWS\Ncv.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Ehh.exe
O4 - HKCU\..\Run: [Lts] C:\WINDOWS\Qmt.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\System32\Iim.exe
O4 - HKCU\..\Run: [Qca] C:\WINDOWS\Rjn.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\Hpn.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\System32\Bde.exe
O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\System32\Egg.exe
O4 - HKCU\..\Run: [Jmc] C:\WINDOWS\System32\Sqe.exe
O4 - HKCU\..\Run: [Tuk] C:\WINDOWS\Dgu.exe
O4 - HKCU\..\Run: [Drc] C:\WINDOWS\Bdi.exe
O4 - HKCU\..\Run: [Lst] C:\WINDOWS\System32\Njg.exe
O4 - HKCU\..\Run: [Rrc] C:\WINDOWS\System32\Chq.exe
O4 - HKCU\..\Run: [Vni] C:\WINDOWS\Olp.exe
O4 - HKCU\..\Run: [Puj] C:\WINDOWS\Api.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Ipk.exe
O4 - HKCU\..\Run: [Ofr] C:\WINDOWS\Odd.exe
O4 - HKCU\..\Run: [Sdv] C:\WINDOWS\System32\Bmt.exe
O4 - HKCU\..\Run: [Ekl] C:\WINDOWS\System32\Nfp.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\System32\Spf.exe
O4 - HKCU\..\Run: [Vvu] C:\WINDOWS\Lmq.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Dlo.exe
O4 - HKCU\..\Run: [Kce] C:\WINDOWS\System32\Tap.exe
O4 - HKCU\..\Run: [Ivl] C:\WINDOWS\Dpv.exe
O4 - HKCU\..\Run: [Gnc] C:\WINDOWS\System32\Ssh.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\System32\Ogm.exe
O4 - HKCU\..\Run: [Oei] C:\WINDOWS\System32\Upf.exe
O4 - HKCU\..\Run: [Qki] C:\WINDOWS\System32\Drn.exe
O4 - HKCU\..\Run: [Afb] C:\WINDOWS\System32\And.exe
O4 - HKCU\..\Run: [Ifr] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Lrv] C:\WINDOWS\System32\Iab.exe
O4 - HKCU\..\Run: [Quk] C:\WINDOWS\System32\Scq.exe
O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Fhr.exe
O4 - HKCU\..\Run: [Eqg] C:\WINDOWS\System32\Daa.exe
O4 - HKCU\..\Run: [Hcf] C:\WINDOWS\System32\Bhf.exe
O4 - HKCU\..\Run: [Aqp] C:\WINDOWS\System32\Irf.exe
O4 - HKCU\..\Run: [Ols] C:\WINDOWS\Bou.exe
O4 - HKCU\..\Run: [Cve] C:\WINDOWS\System32\Ovq.exe
O4 - HKCU\..\Run: [Lca] C:\WINDOWS\Tcu.exe
O4 - HKCU\..\Run: [Nep] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Hmk] C:\WINDOWS\System32\Mdo.exe
O4 - HKCU\..\Run: [Gba] C:\WINDOWS\System32\Hkn.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Using Windows Explorer, locate the following files/folders, and delete them: (Watch the spelling!!!)

C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\ntddetect.exe
c:\program files\180solutions <==this folder
C:\WINDOWS\system32\x3yy <== this folder
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\wsem303.dll
C:\sp.exe

Search for all those 3-letter exe files (that are flagged above in your log..eg: C:\WINDOWS\System32\Bhf.exe, C:\WINDOWS\System32\Scq.exe, C:\WINDOWS\Bou.exe, C:\WINDOWS\Dpv.exe ) that are present in your system32 and Windows-folder and delete them. To find them quickly, rightclick on one or two and choose properties. Check the filesize and date. They all must have the SAME filesize (most probably 8kb) and SAME date.
So, open your system32-folder and click on top in the menu for 'view'
Change the view to details and click on the header of the size column in order to sort the files on size.
Do the same for your Windows-folder.


Also search for a file called desktop.html, probably present in your: C:\WINDOWS\Web\desktop.html

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there

* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode

Post back a fresh HijackThis log and I'll take another look.
Don't worry if your desktop isn't fixed afterwards, we'll deal with that later. First i want to be sure that all those files are deleted.

Edited by miekiemoes, 29 March 2005 - 05:41 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Mike_in_Oz

Mike_in_Oz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 29 March 2005 - 07:17 PM

Thanks for your help Miekiemos.
I followed all your steps - the only problem I had was trying to delete the web desktop:

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there

I only had one item listed there "My Home Page" which it wouldn't let me delete.

[btw - what time zone are you in? I'm in Sydney - just so I know when to expect posts or not!]

Here's the latest HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:07 AM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\cmd.exe
C:\TNGSD\BIN\sdjexec.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\userinit.exe
C:\Spyware Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Qmh] C:\WINDOWS\Eao.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Bub] C:\WINDOWS\Lvn.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Qmh] C:\WINDOWS\Eao.exe
O4 - HKCU\..\Run: [Bub] C:\WINDOWS\Lvn.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: iManage DeskSite.lnk = C:\Program Files\iManage\Manage32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.gtlaw.com.au/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://docs.gtlaw.com.au/worksite/bin/iManFile.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brco.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\Software\..\Telephony: DomainName = sydney.gtlaw.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\TNGSD\BIN\SDSERV.EXE
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:17 AM

Posted 29 March 2005 - 07:46 PM

Hi,

Have you been deleting C:\WINDOWS\system32\spoolsv.exe??
I told you to watch the spelling though.
The file you had to delete was spoolvse.exe

Could you go to the next site: http://virusscan.jotti.org/
There you'll see: File to upload and scan. Could you submit the next file there and let it scan?

C:\TNGSD\BIN\sdjexec.exe

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [Qmh] C:\WINDOWS\Eao.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Bub] C:\WINDOWS\Lvn.exe
O4 - HKCU\..\Run: [Qmh] C:\WINDOWS\Eao.exe
O4 - HKCU\..\Run: [Bub] C:\WINDOWS\Lvn.exe


* Click on Fix Checked when finished and exit HijackThis.

Did you find desktop.html and delete it?

Download the next regfile:
http://forums.net-integration.net/index.ph...=post&id=139544

save it on your desktop and doubleclick on it. If it asks to add the contents to the registry, click yes/ok

Reboot and post a new log, together with the result from the onlinescan on that sdjexec.exe

Edit: I live in europe. :thumbsup:

Edited by miekiemoes, 29 March 2005 - 07:47 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Mike_in_Oz

Mike_in_Oz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 29 March 2005 - 09:49 PM

Thanks again miekiemoes.
My comments in red below.

btw - my desktop seems to be OK now as I can right click on properties etc.. so I think we can close that one. :thumbsup:

Have you been deleting C:\WINDOWS\system32\spoolsv.exe?? Yes - my error - I have the flu today! Does it matter?
I told you to watch the spelling though.
The file you had to delete was spoolvse.exe Done

Could you go to the next site: http://virusscan.jotti.org/
There you'll see: File to upload and scan. Could you submit the next file there and let it scan?

C:\TNGSD\BIN\sdjexec.exe Done

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [Qmh] C:\WINDOWS\Eao.exe Done
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe Done
O4 - HKLM\..\Run: [Bub] C:\WINDOWS\Lvn.exe Done
O4 - HKCU\..\Run: [Qmh] C:\WINDOWS\Eao.exe Done
O4 - HKCU\..\Run: [Bub] C:\WINDOWS\Lvn.exe Done

* Click on Fix Checked when finished and exit HijackThis.

Did you find desktop.html and delete it? Done

Download the next regfile:
http://forums.net-integration.net/index.ph...=post&id=139544

save it on your desktop and doubleclick on it. If it asks to add the contents to the registry, click yes/ok Done

Reboot and post a new log, together with the result from the onlinescan on that sdjexec.exe Done

======================
Log from SDJEXEC.EXE:

Service load: 0% 100%

File: sdjexec.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: -

AntiVir No viruses found
Avast No viruses found
AVG Antivirus No viruses found
BitDefender No viruses found
ClamAV No viruses found
Dr.Web No viruses found
F-Prot Antivirus No viruses found
Fortinet No viruses found
Kaspersky Anti-Virus No viruses found
mks_vir No viruses found
NOD32 No viruses found
Norman Virus Control No viruses found

=====================

Log from latest HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:03 PM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\OSD.exe
C:\Spyware Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MSOLOM~1\LOCALS~1\Temp\keep.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: iManage DeskSite.lnk = C:\Program Files\iManage\Manage32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.gtlaw.com.au/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://docs.gtlaw.com.au/worksite/bin/iManFile.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brco.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\Software\..\Telephony: DomainName = sydney.gtlaw.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sydney.gtlaw.com.au
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\TNGSD\BIN\SDSERV.EXE
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

===================

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:17 AM

Posted 30 March 2005 - 06:37 AM

Hello, your log looks clean again.
How are things running now? Desktop ok again?

Have you been deleting C:\WINDOWS\system32\spoolsv.exe?? Yes - my error - I have the flu today! Does it matter?


The spooler service is responsible for managing spooled print/fax jobs
Do a search for it (spoolsv.exe) through start > search.
Most probably you'll find another spoolsv.exe in a folder called C:\Windows\Servicepackfiles\.. or C:\Windows\Softwaredistribution.... Copy it to your system32-folder then.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Mike_in_Oz

Mike_in_Oz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 30 March 2005 - 07:06 AM

Many many thanks for your help miekiemoes. My laptop is behaving itself again. Joy!!

I will reinstall the spooler file.

Hopefully my experience will be helpful to others.

Many thanks again - as we say here "you are a legend mate!!"

Mike

:thumbsup:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:17 AM

Posted 30 March 2005 - 07:44 AM

Glad I could help you.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap http://windowsupdate.microsoft.com/ to install SP2 (this will also take care of your missing spoolsv.exe)

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users