Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing rpcss_pl.exe


  • Please log in to reply
64 replies to this topic

#1 softtest123

softtest123

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 April 2005 - 04:21 PM

I have attempted to use the procedure in http://www.bleepingcomputer.com/startups/r...l.exe-7471.html to remove rpcss_pl.exe. I am running Windows 2000 Pro in safe mode, so maybe that is part of the problem.

First of all I do not have sc.exe on my system so it was necessary to download this from:

ftp://ftp.microsoft.com/reskit/win2000/sc.zip

and unzip it.

sc seems to run correctly. I'll have to rtfm to see if there is a way to check on dependency or to see if the dependency was re-established. In any case, sc indicated that the dependency operation was successful.

Next I used Killbox as instructed.

Killbox replies with: "This File could not be Deleted"

However, when I check the "Delete on Reboot" radio button and then the red X and allowed the system to reboot (back to safe mode) rpcss_cl.exe was successfully removed.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:20 AM

Posted 02 April 2005 - 02:42 PM

Hello SoftTest123 and welcome to the BC forums. We need a HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe. Double-click on the file you just downloaded and click on the UnZip button to install the program.

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log as quickly as I can.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 03 April 2005 - 05:45 PM

I have already tried deleting what appeared to me to be obvious problems (I looked them up before I deleted them and cleaned up a lot of problems, but there are still some left.)

Here are some additional notes and a couple of Hijack this logs.

The following information was collected after a full reboot (but with the LAN access phisically disconnected) and after running cleanups with Spybot, Ad-Aware SE, and Obvious things with HyjackThis. I have removed the rpcss_pl.exe file, but the reference to it reappears after I delete it. There seems to be some kind of periodic refresh.

Bad things happen when I connect to the internet. I will have to connect to send this to you. I have included the HijackThis log collected when not connected to the Internet, I will collect another when I reboot with the Internet Connected.

_______________________________________________________________________________________

Spybot Search and Destroy 1.2 (no updates) finds Two recurring "Prolivation" changes:
HKEY=LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\www=http://
HKEY=LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\www=http://

_______________________________________________________________________________________


Ad-Aware finds 4 recurring errors. Here is the Ad-Aware Log:


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, April 03, 2005 4:11:06 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R34 23.03.2005
���������������������������������������������������

References detected during the scan:
���������������������������������������
MRU List(TAC index:0):63 total references
Windows(TAC index:3):4 total references
���������������������������������������

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4-3-2005 4:11:06 PM - Scan started. (Smart mode)

Listing running processes
��������������������������������������

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 172
ThreadCreationTime : 4-3-2005 8:45:55 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 4-3-2005 8:46:00 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 4-3-2005 8:46:01 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 244
ThreadCreationTime : 4-3-2005 8:46:03 PM
BasePriority : Normal
FileVersion : 5.00.2195.2780
ProductVersion : 5.00.2195.2780
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 256
ThreadCreationTime : 4-3-2005 8:46:03 PM
BasePriority : Normal
FileVersion : 5.00.2195.2964
ProductVersion : 5.00.2195.2964
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 388
ThreadCreationTime : 4-3-2005 8:46:06 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 440
ThreadCreationTime : 4-3-2005 8:46:09 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:8 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 524
ThreadCreationTime : 4-3-2005 8:46:10 PM
BasePriority : Normal
FileVersion : 5.00.2195.2104
ProductVersion : 5.00.2195.2104
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:9 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 568
ThreadCreationTime : 4-3-2005 8:46:12 PM
BasePriority : Normal
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
ProductName : Microsoft� Windows� Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:10 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 356
ThreadCreationTime : 4-3-2005 8:46:13 PM
BasePriority : Normal
FileVersion : 1.50.1085.0029
ProductVersion : 1.50.1085.0029
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:11 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 856
ThreadCreationTime : 4-3-2005 8:46:36 PM
BasePriority : Normal
FileVersion : 5.00.3315.2846
ProductVersion : 5.00.3315.2846
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:12 [tp4serv.exe]
FilePath : C:\WINNT\System32\
ProcessID : 312
ThreadCreationTime : 4-3-2005 8:50:09 PM
BasePriority : Normal
FileVersion : 2.10
ProductVersion : 2.10
ProductName : IBM PS/2 TrackPoint Support
CompanyName : IBM Corporation
FileDescription : IBM PS/2 TrackPoint Daemon
InternalName : daemon.exe
LegalCopyright : Copyright © IBM Corporation 1997-2001
OriginalFilename : daemon.exe

#:13 [rundll32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 860
ThreadCreationTime : 4-3-2005 8:50:09 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : RUNDLL.EXE

#:14 [pgptray.exe]
FilePath : C:\Program Files\Network Associates\PGPNT\
ProcessID : 872
ThreadCreationTime : 4-3-2005 8:50:10 PM
BasePriority : Normal
FileVersion : 6.5.8
ProductVersion : 6.5.8
ProductName : PGPfreeware
CompanyName : Network Associates Technology, Inc.
FileDescription : PGP System Tray Application
InternalName : PGPtray
LegalCopyright : Copyright � 1997-1999 Network Associates Technology, Inc. All Rights Reserved.
LegalTrademarks : Network Associates, Pretty Good Privacy, PGP, PGPplugin
OriginalFilename : PGPtray.exe

#:15 [autochk.exe]
FilePath : C:\CFGSAFE\
ProcessID : 480
ThreadCreationTime : 4-3-2005 8:50:10 PM
BasePriority : Normal
FileVersion : 3.06.01
CompanyName : imagine LAN, Inc.
FileDescription : ConfigSafe Auto Check Program
InternalName : AUTOCHK
LegalCopyright : Copyright � 1995-2000
OriginalFilename : AUTOCHK.EXE

#:16 [navapw32.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Antivirus NT\
ProcessID : 664
ThreadCreationTime : 4-3-2005 8:50:10 PM
BasePriority : Idle
FileVersion : 7.07.00.23
ProductVersion : 7.07.00.23
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect
InternalName : NAVAPW32
LegalCopyright : Copyright © 2000 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPW32.EXE

#:17 [config.exe]
FilePath : C:\Program Files\Belkin\11Mbps Wireless Network\
ProcessID : 932
ThreadCreationTime : 4-3-2005 8:50:10 PM
BasePriority : Normal
FileVersion : 4.06.4.7
CompanyName : Neesus Datacom Inc.
FileDescription : Configuration Utility for Intersil driver
LegalCopyright : � Neesus Datacom Inc., 1997-2000
OriginalFilename : Config.exe

#:18 [hpodev07.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\
ProcessID : 924
ThreadCreationTime : 4-3-2005 8:50:10 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.09.40.03
ProductName : HP OfficeJet G Series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPODEV07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPODEV07.EXE
Comments : HP OfficeJet COM Device Objects

#:19 [msoffice.exe]
FilePath : C:\Program Files\Microsoft Office\Office10\
ProcessID : 960
ThreadCreationTime : 4-3-2005 8:50:14 PM
BasePriority : Normal


#:20 [hpoevm07.exe]
FilePath : C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\
ProcessID : 804
ThreadCreationTime : 4-3-2005 8:50:19 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.09.40.03
ProductName : HP OfficeJet G Series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOEVM07.EXE
Comments : HP OfficeJet COM Event Manager

#:21 [hposts07.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\
ProcessID : 1044
ThreadCreationTime : 4-3-2005 8:50:21 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.09.40.03
ProductName : HP OfficeJet G Series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOCPY07.EXE
Comments : HP OfficeJet Status

#:22 [hpofxm07.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\
ProcessID : 1052
ThreadCreationTime : 4-3-2005 8:50:21 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.09.40.03
ProductName : HP OfficeJet G Series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet G Series Fax Manager
InternalName : HPOFXM07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOFXM07.EXE
Comments : HP OfficeJet G Series Fax Manager

#:23 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1128
ThreadCreationTime : 4-3-2005 8:50:24 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright � Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:24 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 820
ThreadCreationTime : 4-3-2005 9:00:05 PM
BasePriority : Normal
FileVersion : 1.2.0.8
ProductVersion : 1.2
ProductName : SpyBot-S&D
CompanyName : PepiMK Software
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : � 2000-2003 Patrick M. Kolla
OriginalFilename : SpyBotSD.exe
Comments : Software to remove spyware and similar threats from your computer

#:25 [cmd.exe]
FilePath : C:\WINNT\system32\
ProcessID : 668
ThreadCreationTime : 4-3-2005 9:18:05 PM
BasePriority : Normal
FileVersion : 5.00.2195.2104
ProductVersion : 5.00.2195.2104
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows NT Command Processor
InternalName : cmd
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : Cmd.Exe

#:26 [notepad.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1072
ThreadCreationTime : 4-3-2005 10:05:42 PM
BasePriority : Normal
FileVersion : 5.00.2140.1
ProductVersion : 5.00.2140.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : NOTEPAD.EXE

Memory scan result:
��������������������������������������
New critical objects: 0
Objects found so far: 0


Started registry scan
��������������������������������������

Windows Object Recognized!
Type : RegData
Data : http://101.nowfind.net/gall.php?url=
Category : Vulnerability
Comment : URL Prefix Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\url\defaultprefix
Value :
Data : http://101.nowfind.net/gall.php?url=

Windows Object Recognized!
Type : RegData
Data : http://101.nowfind.net/gall.php?url=
Category : Vulnerability
Comment : URL Prefix Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\url\prefixes
Value : home
Data : http://101.nowfind.net/gall.php?url=

Windows Object Recognized!
Type : RegData
Data : http://101.nowfind.net/gall.php?url=
Category : Vulnerability
Comment : URL Prefix Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\url\prefixes
Value : mosaic
Data : http://101.nowfind.net/gall.php?url=

Windows Object Recognized!
Type : RegData
Data : http://101.nowfind.net/gall.php?url=
Category : Vulnerability
Comment : URL Prefix Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\url\prefixes
Value : www
Data : http://101.nowfind.net/gall.php?url=

Registry Scan result:
��������������������������������������
New critical objects: 4
Objects found so far: 4


Started deep registry scan
��������������������������������������

Deep registry scan result:
��������������������������������������
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
��������������������������������������


Tracking cookie scan result:
��������������������������������������
New critical objects: 0
Objects found so far: 4



Deep scanning and examining files...
��������������������������������������

Disk Scan Result for C:\WINNT
��������������������������������������
New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\WINNT\System32
��������������������������������������
New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\DOCUME~1\aj\LOCALS~1\Temp\
��������������������������������������
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
����������������������������������������������������������������������������

Hosts file scan result:
��������������������������������������
1 entries scanned.
New critical objects:0
Objects found so far: 4



MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\word\recent templates
Description : list of recent templates used by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\editor\insert hyperlink\recently used urls
Description : list of recently used urls in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\10.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\visualstudio\6.0
Description : last loaded solution in microsoft visual studio


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\explorer\frontpage explorer\recent web list
Description : list of recently used webs in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\mediaplayer\radio\mrulist
Description : list of recently used stations in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\editor
Description : last used folder in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\editor\recently used urls
Description : list of recently used urls in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\clipart gallery\2.0\mrudescription
Description : most recently used description in microsoft clipart gallery


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\visualstudio\6.0
Description : default open file location in microsoft visual basic


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\editor
Description : folder of the last used web in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\editor\per-web image save directories
Description : list of image save directories per web in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\visualstudio\6.0
Description : default new project location in microsoft visual basic


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\explorer\frontpage explorer\recent page list
Description : list of recently used pages in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\office\9.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\visualstudio\6.0
Description : default project open location in microsoft visual basic


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\explorer\frontpage explorer\recent file list
Description : list of recently used files in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\frontpage\editor\insert image\recently used urls
Description : list of recently used urls in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\visualstudio\6.0\projectmrulist
Description : list of recently used projects in microsoft visual studio


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


MRU List Object Recognized!
Location: : S-1-5-21-1645522239-1935655697-1708537768-1001\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\aj\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\aj\recent
Description : list of recently opened documents



Performing conditional scans...
��������������������������������������

Conditional scan result:
��������������������������������������
New critical objects: 0
Objects found so far: 67

4:13:23 PM Scan Complete

Summary Of This Scan
��������������������������������������
Total scanning time:00:02:16.817
Objects scanned:65515
Objects identified:4
Objects ignored:0
New critical objects:4


______________________________________________________________________________________


And here is the HijackThis logfile:


Logfile of HijackThis v1.99.1
Scan saved at 4:19:03 PM, on 4/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Trojan Fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {6224f700-cba3-4071-b251-47cb894244cd} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O15 - Trusted Zone: *.verisign.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...259/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe


_______________________________________________________________________________________

Hijack This Log with Internet Connected:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:52 PM, on 4/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Trojan Fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {6224f700-cba3-4071-b251-47cb894244cd} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O15 - Trusted Zone: *.verisign.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...259/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = se.fit.edu
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:20 AM

Posted 04 April 2005 - 12:42 AM

Hi SoftTest123. We've got a few things to clean up here. Please proceed with the following steps in order.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O9 - Extra button: (no name) - {6224f700-cba3-4071-b251-47cb894244cd} - (no file)
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O15 - Trusted Zone: *.verisign.com
O15 - Trusted Zone: *.windupdates.com
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\System32\rpcss_pl.exe (verify that this is gone)
Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select the following items that are present and then click the OK button.* Temp Setup Files
* Downloaded Program Files
* Temp Internet Files
* Debug Dump Files
* Office Setup Files
* old chkdsk files
* Recycle Bin
* Temp Remote Desktop Files
* Setup Log Files
* Temp Files
* WebClient temp files
[/list]OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 04 April 2005 - 12:56 PM

I followed your directions precisely with the following exceptions:

Step 1: I followed this direction precisely. Note that many of the deleted entries reappeared upon "Restart"

Step 2, line two: My Start menu has no "My Computer" Instead I used Explorer to get to "My Computer"

C:\WINNT\System32\rpcss_pl.exe was no longer present (I followed the instructions for deleting this program including, as noted previouslyu the disassociation from rpcss)

I surely appreciate your help,
aaj "SoftTest123"
Cyber Entomologist
"Garbage In, Apology Out"

Following is the HijackThis logfile after "Restart"

Logfile of HijackThis v1.99.1
Scan saved at 11:39:47 AM, on 4/4/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Trojan Fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...259/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = se.fit.edu
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:20 AM

Posted 04 April 2005 - 01:29 PM

Hi SoftTest123. Alright, let's go through the steps again but this time in Safe Mode. Pleas print these directions and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 08 April 2005 - 02:37 AM

I swear I posted a response to this immediately, but it is not here, so here is a new HJT log. Note that after deleting the specified items,they reappeared (if I do an immediate HJT log, they are not there, they take a little time to come back.)

Logfile of HijackThis v1.99.1
Scan saved at 12:30:35 AM, on 4/8/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Trojan Fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...259/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = se.fit.edu
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:20 AM

Posted 08 April 2005 - 12:41 PM

Hi SoftTest123. Ok, you've got something hiding in the registry here. Let's do the following.

Download and install the Microsoft AntiSpyware Beta. Update the program and let it do a complete scan. This may take a little while so be patient. Perform the fixes that it suggests.

When it is finished, reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 10 April 2005 - 12:40 AM

This appears to be problematic. In order to download Microsoft Antispyware Beta, it is necessary to validate my copy of Windows. I downloaded their program GenuineCheck.exe but it requires Internet explorer to run and I'm not going to run IE until I get these problems with the Registry straightened out. Lord knows what I might be downloading into my machine if I run IE. So GenuineCheck.exe had me download another program, legitcheck.hta. When I run this it asks for my 25 character product key, which I have. However, each time I enter a character of the key the program gives me a "script error on this page, do I want to continue?" I did and entered the whole key, however, MS failded to validate me and so I can't download the program. I discovered that if I maximize the legitcheck.hta window (not the default) it will accept characters without faulting. Again, however, there seems to be something in the registry for legitcheck.hta such that I do not have the opportunity to re-enter the product key to try again.

Sorry. Is there something else I can do short of changing to LINUX that will help solve the problem?


It really seems strange to me that because of defects in the Microsoft Product, my system is vulnerable to attack and that Microsoft won't allow me to download a program that might help (though I have my doubts) because of a defect in their software.

SoftTest123
Cyber Entomologist
"Garbage In, Apology Out"

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:20 AM

Posted 10 April 2005 - 10:26 AM

Hi SoftTest123. You do not need to validate Windows to get the download. Just click in the option to No, do not validate Windows at this time, but take me to the download and then click the Continue button. It will take you to the download page (that's what I did because I run FireFox).

OT :thumbsup:

Edited by OldTimer, 10 April 2005 - 10:26 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 11 April 2005 - 01:13 AM

Well that was enlightening.

Microsoft AntiSpyware appeared to zap 4 nasties for me, but I still have the http://101.nowfind.biz/clickpps.php nasties. I selected the browser reconfigure option of MS AntiSpyware but the default used to restore was also http://101.nowfind.biz/clickpps.php so I didn't do the reconfigure.

Here is the HJT log after MSAS completion.




Logfile of HijackThis v1.99.1
Scan saved at 10:53:35 PM, on 4/10/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Trojan Fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...259/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = se.fit.edu
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:20 AM

Posted 11 April 2005 - 02:04 AM

Hey SoftTest123. Ok, I was pondering over your problem and I want to try something new here. I think that maybe Autochk.exe might be interfering with these fixes. Autochk can protect the registry and its settings and I haven't come across it before. We will kill Autochk before the next fix and disable MS AntiSpyware because it will do the same. Ready? Let's go.

Step #1

Right-click on the MS AntiSpyware Beta icon in the TaskTray in the lower right-hand corner of the screen. It looks like a red circle with a yellow dot in the center. Choose Close or Exit from the popup menu and Yes or Ok to any prompts to confirm closing it down.

Step #2

Start HijackThis and follow these steps:* Click on Config button
* Click on the Misc Tools button
* Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\CFGSAFE\AUTOCHK.EXE
Step #4

Now click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

If this doesn't work then I'll have to dig a little deeper into the ol' bag of tricks but I think we're pretty close here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 11 April 2005 - 09:59 AM

First of all, after right clicking on Microsoft Antispyware in the toolbar, The sequence to shut it down is, Shutdown Microsoft Spyware and then YES.

Next, when starting HijackThis, the first selection for version 1.99.1 is None of the above, just start the program.

Then, after step 3, it is necessary to click on Back before clicking on Scan. The Scan button on the Configuration menu is inoperable on this version of HJT.

I hope these comments do not offend. It is my habit as a software tester to suggest corrections or improvements to what may become standard procedures. It is not a criticism, but an honest and sincere attempt to help you improve your already excellent service. (This is not a canned statement; perhaps it should be?)

BTW. I tried to print something the other day (to a file, I have no printer connected right now) and was informed that I have no print services. Maybe that is a clue. Even if it is not, I want to get back my print services.

Softtest123
Cyber Entomologist
"Garbage In, Apology Out"

Logfile of HijackThis v1.99.1
Scan saved at 7:42:46 AM, on 4/11/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Trojan Fix\HijackThis.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://101.nowfind.biz/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://101.nowfind.biz/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://101.nowfind.biz/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Belkin\11Mbps Wireless Network\Config.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...259/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.fit.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = se.fit.edu
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\System32\rpcss_pl.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

Nice try. What shall we try next?


#14 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 11 April 2005 - 10:02 AM

Now that is odd. There is a great big grey blob over my posting. The proper header fot the HJT log is:


Logfile of HijackThis v1.99.1
Scan saved at 7:42:46 AM, on 4/11/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

BTW, I am also running Firefox.

Softtest123

#15 softtest123

softtest123
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 14 April 2005 - 04:01 PM

Somehow my membership got deleted and you may not have received notification of my last two postings.

SoftTest123




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users