Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Jamie - Please help diagnose!


  • Please log in to reply
36 replies to this topic

#1 jlittlejohn

jlittlejohn

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 24 July 2004 - 01:00 PM

Been having problems with computer - downloaded ad-aware, spybot, etc. and got rid of some stuff, but now my Symantec is finding a backdoor.trojan file and I can't locate it where it says it is. I have downloaded HijackThis.exe and ran it. My log is attached. Thanks!

_________________________________________________________________

Logfile of HijackThis v1.98.0
Scan saved at 10:36:01 AM, on 7/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\RavSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\eScription\EditScript\EditScriptClientMain_5_0_18.exe
C:\Program Files\eScription\EditScript\DatabaseRequestServer_5_0_18.exe
C:\Program Files\eScription\EditScript\DatabaseRequestServer_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CC67866-A76F-41F2-8492-FE092097C401} - C:\WINNT\system32\ffegme.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup Message.doc
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.transcendservices.com/mls/viewe...tiveXViewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF2E2523-5E55-4A8F-A0C9-0F2B7457290C} (SWTrackerCTL.ucTrackerCTL) - https://www.transcendservices.com/CABS/SWTrackerCTL.CAB
O18 - Filter: text/html - {D4A0F905-0AF6-4723-A80F-9B96DA5A5762} - C:\WINNT\system32\ffegme.dll
O18 - Filter: text/plain - {D4A0F905-0AF6-4723-A80F-9B96DA5A5762} - C:\WINNT\system32\ffegme.dll
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:24 PM

Posted 24 July 2004 - 07:27 PM

Hello jlittlejohn,
First thing I need you to do is disable tea-timer. It will prevent any fixes from working otherwise. Also, disable any other protection software you have going (ie Spyware Doctor)

**********

Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)

Also, please download the CWShredder.

Please download Adaware . Make sure it is up to date by clicking on the globe in the upper right-hand corner.

**********

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4CC67866-A76F-41F2-8492-FE092097C401} - C:\WINNT\system32\ffegme.dll (file missing)
O16 - DPF: {EF2E2523-5E55-4A8F-A0C9-0F2B7457290C} (SWTrackerCTL.ucTrackerCTL) - https://www.transcendservices.com/CABS/SWTrackerCTL.CAB
O18 - Filter: text/html - {D4A0F905-0AF6-4723-A80F-9B96DA5A5762} - C:\WINNT\system32\ffegme.dll
O18 - Filter: text/plain - {D4A0F905-0AF6-4723-A80F-9B96DA5A5762} - C:\WINNT\system32\ffegme.dll
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

**********

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the O2 - BHO: entry from your HijackThis log.

In the current log it is this file but it may have changed names.
It is currently :

O2 - BHO: (no name) - {4CC67866-A76F-41F2-8492-FE092097C401} - C:\WINNT\system32\ffegme.dll
<--This file name

It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.
Select Unload DLL, and click OK on the prompts that follow.

**********

Run the Shredder, and let it fix everything it finds.

**********

Run Adaware with the following settings:

  • Configure Ad-aware
    • Click on the Gear-shaped icon at the top to open the Settings window.
    • All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
    • General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
    • Scanning Settings
      • Scan Within Archives
      • Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
    • Advanced Settings - Enable all four options under 'Log-file Detail level'
    • Tweak Settings
      • Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
      • Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
    • Click Proceed
  • Click on the 'Start' button in the lower right.

  • Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.

  • Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.

  • Close Ad-aware


If Ad-Aware needs to reboot to finish cleaning, please let it.

**********

Please run the following online scan and let it fix everything it finds:
TrendMicro

**********

Reboot and post a new log. :D

#3 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 25 July 2004 - 01:21 PM

Did everything as instructed in your last reply to my first log. Had clear scans CWShredder, Ad-Aware, and TrendMicro, but still getting a box that pops up from Symantec saying there is a backdoor.trojan and the file is C:\\WINNT\System32\kbdcijp.dll. It shows this file in HijackThis as well, but when checked it as instructed with first log, it did not remove this. Problem is too that I cannot find a file by this name in that folder. I have the property under tools checked to show hidden files and to show all files (operating systems), etc., but it still is not showing up. Without being able to find such a file, how can I delete it or get rid of it completely?

Jamie
______________________________________________________________

Here's the new log from HT:


Logfile of HijackThis v1.98.0
Scan saved at 2:15:47 PM, on 7/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\RavSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINNT\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup Message.doc
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.transcendservices.com/mls/viewe...tiveXViewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:24 PM

Posted 25 July 2004 - 01:30 PM

We're getting there.. :thumbsup:

You have one of those pesky .dll's that are sometimes a terror to remove, so we may have to take a few tries at it.

Boot into SAFE MODE by tapping the f8 key during boot up.

***********************************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

***********************************************************************


Run APM.
In the upper window select explorer.exe
In the lower window find and rightclick on C:\WINNT\system32\kbdcijp.dll.

Select Unload DLL and click OK on the prompts that follow.

***********************************************************************
Run Adaware again to clean up the orphaned entries.

***********************************************************************
Reboot and post a new log :D

#5 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 25 July 2004 - 02:15 PM

I brought it up by safe mode, but when I do that, the file kbdcijp.dll does not even show up in the HijackThis log and it does not show up in the AWM at all either. I was able to remove the other entry you told me too, but that file does not show up under the safe mode. What do I do now? The log for HJ is the same as the above, except the one entry you told me to delete is gone.

Thanks,
Jamie

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:24 PM

Posted 25 July 2004 - 02:43 PM

Boot into regular mode, run APM, and see if you can find it and kill it that way.

If not, we will try the killbox. Either way, I need a new log to make sure nothing else has changed.

#7 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 July 2004 - 05:05 PM

Tried APM again and couldn't find it there. Here is the new HijackThis log. Just let me know what I need to do. Thanks!

Jamie

__________________________________________________________

Logfile of HijackThis v1.98.0
Scan saved at 6:04:00 PM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\RavSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINNT\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup Message.doc
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.transcendservices.com/mls/viewe...tiveXViewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:24 PM

Posted 26 July 2004 - 05:40 PM

Downlaod the following:
http://www.downloads.subratam.org/KillBox.zip

Start the killbox, and paste in the following:
C:\WINNT\system32\kbdcijp.dll

Click on action, select 'delete on reboot'

Reboot. Let me know if it is still there. There are other methods yet that will work.

#9 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 July 2004 - 07:38 PM

That didn't work either. Got a message saying it couldn't kill it and then when it tried to delete and reboot, that didn't work either. It was still showing up on my Symantec popup box as there and in the Hijackthis log. Here is the new log, just in case you need it.

Jamie
________________________________________________________


Logfile of HijackThis v1.98.0
Scan saved at 8:34:57 PM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\RavSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINNT\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup Message.doc
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.transcendservices.com/mls/viewe...tiveXViewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:24 PM

Posted 26 July 2004 - 08:25 PM

Bummer. I'll give it high marks for persistence though....

Try this....

If you are comfortable tinkering in your registry, search through there for kbdcijp.dll.
Delete every key you find that contains that .dll (There should be 3 or 4)

Reboot, then see if you can find the file to delete.

#11 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 July 2004 - 08:30 PM

How do I get into the registry to search for them? I don't mind to search through them b/c I'm fairly computer literate, but I've never searched through the registry before and don't know where to go to search. Just let me know and I'll try it.

Thanks,
Jamie

#12 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 July 2004 - 08:47 PM

Ignore that last reply. I got into the registry. I did a search and only found that .dll listed 1 time, but I deleted it out of the registry. Now I can see the file under the folder. I'm going to do a Hijackthis right now and then try using that killbox thing you gave me to see what that does. So far so good! :thumbsup:

Jamie

#13 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 July 2004 - 09:09 PM

I can still see the file in the folder, but I can't get rid of it with killbox or hijackthis. Here is the new hijackthis log.

Jamie
____________________________________________________

Logfile of HijackThis v1.98.0
Scan saved at 10:08:46 PM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\RavSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\eScription\EditScript\EditScriptClientMain_5_0_18.exe
C:\Program Files\eScription\EditScript\DatabaseRequestServer_5_0_18.exe
C:\Program Files\eScription\EditScript\DatabaseRequestServer_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Program Files\eScription\EditScript\TimeOutMonitor_5_0_18.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.transcendservices.com/mls/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup Message.doc
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.transcendservices.com/mls/viewe...tiveXViewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINNT\system32\kbdcijp.dll

#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:24 PM

Posted 26 July 2004 - 09:30 PM

I have another technique that I am testing. I want to make sure it works properly before I give it to you. Your system is in pretty good shape right now, so I just need you to sit tight until tomorrow when I know the fix works as it is supposed to.

#15 jlittlejohn

jlittlejohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 27 July 2004 - 11:33 AM

Fine with me. I just wanted to let you know though that the file is no longer in that folder. I'm going to try later to look through the registry again. It's quite large and it takes forever to go through it all. It's saying it's only in 1 spot and I delete it and exit and it's nowhere to be found in a file. It just keeps popping back in the registry for some reason. Last night, it didn't do that. So later on when I'm not working or taking care of my daughter, I'll try to go back in and look again and go from there.

Take your time. This has been going on for some time and a few more days won't kill me!!! :thumbsup:

Jamie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users