Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websearch


  • This topic is locked This topic is locked
22 replies to this topic

#1 JimmyJC

JimmyJC

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 15 September 2008 - 07:20 PM

I am getting popups from <hxxp://216.133.243.28/2.php> whenever i search in IE.. here is my hijackthis log. kindly help me to solve this problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18, on 2008-09-16
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\system32\cisvc.exe
E:\Program Files\Altium6\DXPSecurityService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINNT\system32\stisvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\SW_D.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\SAP Manage\SAP Business One\SAP Business One.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\PROGRA~1\SAPMAN~1\SAPBUS~2\SAPBOU~1.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [TcX7gpCUqQ] C:\Documents and Settings\All Users\Application Data\vuxadaxc\nqdynonw.exe
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1138\..\Run: [] (User 'jcherbert')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1138\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'jcherbert')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1138\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'jcherbert')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1147\..\Run: [] (User 'LBaumann')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1148\..\Run: [] (User 'mchan')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1152\..\Run: [] (User 'smiholic')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1176\..\Run: [] (User 'evadnjal')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1177\..\Run: [] (User 'meddey')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1185\..\Run: [] (User 'ahmad')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1190\..\Run: [] (User 'NVenkat')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1197\..\Run: [internat.exe] internat.exe (User 'wmulyadi')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1198\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'aguan')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SAP Business One Service manager.lnk = E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.ulco.000\windows\system32\rnr20.dll' missing
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partserver.com/partserver/viewe...3d/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://companyweb/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197435815015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1205844989703
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3906EF1E-A594-4A57-B0DB-2093B894E2EB}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O21 - SSODL: SysMsg - {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: SAP Business One Early Watch Alert (B1EwaService) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe
O23 - Service: SAP Business One License Manager 2005 (B1Lic2005) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Altium Designer Network License Service (DXPNetworkSecurityService) - Unknown owner - E:\Program Files\Altium6\DXPSecurityService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - E:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAP Business One BackUp Service (SBOBackUp) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
O23 - Service: SAP Business One DI Server (SBODI_Server) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe
O23 - Service: SAP Business One Messaging Service (SBOMail) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: TAO NT Naming Service (TAO_NT_Naming_Service) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe


Edited by Orange Blossom, 11 February 2013 - 01:56 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 28 September 2008 - 06:03 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

#3 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 28 September 2008 - 06:14 PM

Thank you for your reply,

I am still having the problem. I have had a few attempts at correcting the problem, but without luck.

Any help would be greatly appreciated.

JimmyJC

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 28 September 2008 - 07:25 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#5 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 28 September 2008 - 09:59 PM

As advised:

ComboFix 08-09-20.05 - administrator 2008-09-23 13:01:37.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator.ULCO.000\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\dao350.dll
E:\Documents and Settings\ahmad\Cookies\ahmad@adsfac[3].txt
E:\Documents and Settings\ahmad\Cookies\ahmad@serving-sys[2].txt

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-23 13:08 . 08-09-23 13:08 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4dc.dat
2008-09-02 22:10 . 08-07-14 19:52 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-08-29 17:37 . 08-08-29 17:37 <DIR> d-------- C:\Program Files\DrayTek Router Tools V2.5.4
2008-08-26 15:01 . 08-08-26 15:01 <DIR> d---s---- E:\Documents and Settings\ahmad\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 03:08 --------- d-----w C:\Program Files\SolidWorks SolidNetWork License Manager
2008-09-17 23:35 --------- d-----w C:\Program Files\Visipay
2008-09-02 12:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\vuxadaxc
2008-08-26 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 04:46 --------- d-----w C:\Program Files\jkdhfl
2008-08-19 04:09 --------- d-----w C:\Program Files\Trend Micro
2008-08-19 04:02 --------- d-----w C:\Program Files\VISION
2008-08-18 23:14 --------- d-----w C:\Program Files\yxzjkdf
2008-08-06 06:39 --------- d-----w C:\Program Files\Yahoo!
2008-07-29 01:32 --------- d-----w C:\Documents and Settings\Administrator.ULCO.000\Application Data\U3
2008-07-29 00:56 824 ----a-w C:\jcanter.reg
2008-06-26 06:24 37,027 ----a-w C:\WINNT\atmoUn.exe
2007-06-28 06:13 480,816 ----a-w C:\Program Files\Sounds.EXE
2004-05-17 05:23 271 ---h--w C:\Program Files\desktop.ini
2004-05-17 05:23 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Tue 2008-08-19_14.03.11.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-19 04:01:13 201,154 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-09-23 03:09:51 201,154 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
- 1998-06-17 14:00:00 89,360 ------w C:\WINNT\system32\VB5DB.DLL
+ 1998-06-17 15:00:00 89,360 ----a-w C:\WINNT\system32\VB5DB.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-04-14 10:32 68856]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [03-12-04 11:44 385024]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [04-03-18 16:47 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [00-11-04 04:09 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 22:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 22:00 186640]

E:\Documents and Settings\sfuller\Start Menu\Programs\Startup\
OUTLOOK.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-10-22 196296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
SAP Business One Service manager.lnk - E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe [2006-09-21 69632]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-03-02 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFileAssociate"= 0 (0x0)
"ShowSuperHidden"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMsg"= {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll [08-08-19 14:46 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"SENTINEL"= snti386.dll

R0 aac;Adaptec SCSI RAID Miniport Driver;C:\WINNT\system32\drivers\aac.sys [02-10-18 04:01 33840]
R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys [03-06-20 22:00 74448]
R2 APCPBEAgent;APC PBE Agent;C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe [05-04-14 09:40 28672]
R2 B1Lic2005;SAP Business One License Manager 2005;E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe [06-09-21 09:22 1552384]
R2 DXPNetworkSecurityService;Altium Designer Network License Service;E:\Program Files\Altium6\DXPSecurityService.exe [06-03-13 12:46 2550272]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [02-09-21 02:29 53248]
R2 MSSEARCH;Microsoft Search;C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe [02-12-04 09:52 69632]
R2 SBOBackUp;SAP Business One BackUp Service;E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe [06-09-21 14:25 45056]
R2 SBOMail;SAP Business One Messaging Service;E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe [06-09-21 14:25 139264]
R2 SolidWorks SolidNetWork License Manager;SolidWorks SolidNetWork License Manager;C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe [03-03-26 08:00 630272]
R3 TAO_NT_Naming_Service;TAO NT Naming Service;E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe [06-09-27 08:08 36864]
S2 B1EwaService;SAP Business One Early Watch Alert;E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe [06-09-21 14:26 212992]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [02-09-21 02:27 77824]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [02-09-21 02:41 77824]
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe [03-06-20 22:00 745232]
S3 SBODI_Server;SAP Business One DI Server;E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe [06-09-21 14:28 327680]
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys [03-06-20 22:00 12336]
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys [03-06-20 22:00 12664]
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys [03-06-20 22:00 20760]
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys [03-06-20 22:00 18392]
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys [03-06-20 22:00 18264]
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe [03-06-20 22:00 89360]
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe [03-06-20 22:00 25872]
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe [04-02-26 09:59 33552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Syslog - (no file)
HKLM-Explorer_Run-TcX7gpCUqQ - C:\Documents and Settings\All Users\Application Data\vuxadaxc\nqdynonw.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
O17 -: HKLM\CCS\Interface\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 -: HKLM\CCS\Interface\{3906EF1E-A594-4A57-B0DB-2093B894E2EB}: NameServer = 61.9.194.49,61.9.207.1

O16 -: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://www.partserver.com/partserver/viewer/cnsweb3d/cnsweb3d.cab
C:\WINNT\Downloaded Program Files\cnsweb3d.inf
C:\WINNT\Downloaded Program Files\cnsweb3d.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 13:10:50
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"=" "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe
-> C:\Program Files\jkdhfl\SysMsg.dll
.
Completion time: 2008-09-23 13:12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-23 03:12:13
ComboFix2.txt 2008-08-19 04:03:39

Pre-Run: 1,697,017,856 bytes free
Post-Run: 1,731,035,136 bytes free

154

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49, on 2008-09-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\system32\cisvc.exe
E:\Program Files\Altium6\DXPSecurityService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINNT\system32\stisvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\SW_D.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OIS.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1138\..\Run: [] (User 'jcherbert')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1138\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'jcherbert')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1138\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'jcherbert')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1147\..\Run: [] (User 'lbaumann')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1148\..\Run: [] (User 'mchan')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1152\..\Run: [] (User 'smiholic')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1176\..\Run: [] (User 'evadnjal')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1177\..\Run: [] (User 'meddey')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1187\..\Run: [] (User 'amckeon')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1190\..\Run: [] (User 'nvenkat')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1197\..\Run: [internat.exe] internat.exe (User 'wmulyadi')
O4 - HKUS\S-1-5-21-2436117625-1824372234-770653011-1198\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'aguan')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SAP Business One Service manager.lnk = E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.ulco.000\windows\system32\rnr20.dll' missing
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partserver.com/partserver/viewe...3d/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://companyweb/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197435815015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1205844989703
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3906EF1E-A594-4A57-B0DB-2093B894E2EB}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O21 - SSODL: SysMsg - {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: SAP Business One Early Watch Alert (B1EwaService) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe
O23 - Service: SAP Business One License Manager 2005 (B1Lic2005) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Altium Designer Network License Service (DXPNetworkSecurityService) - Unknown owner - E:\Program Files\Altium6\DXPSecurityService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - E:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAP Business One BackUp Service (SBOBackUp) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
O23 - Service: SAP Business One DI Server (SBODI_Server) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe
O23 - Service: SAP Business One Messaging Service (SBOMail) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: TAO NT Naming Service (TAO_NT_Naming_Service) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe

--
End of file - 13241 bytes

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 29 September 2008 - 07:40 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\jcanter.reg
C:\Program Files\Sounds.EXE

Folder::
C:\Program Files\jkdhfl\

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMsg"=-


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#7 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 29 September 2008 - 04:52 PM

Done...

Here are the logs

ComboFix 08-09-28.01 - administrator 2008-09-30 7:37:49.3 - NTFSx86
Running from: C:\temp\ComboFix.exe
Command switches used :: U:\R

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-30 07:49 . 08-09-30 07:49 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4fc.dat
2008-09-30 07:35 . 08-09-30 07:32 2,863,454 -ra------ C:\temp\ComboFix.exe
2008-09-25 16:23 . 08-09-25 16:23 <DIR> d-------- E:\Documents and Settings\dwilliams\WINDOWS
2008-09-25 16:21 . 08-09-25 16:21 <DIR> d-------- C:\Documents and Settings\dwilliams\WINDOWS
2008-09-25 16:21 . 08-09-25 16:21 <DIR> d-------- C:\Documents and Settings\dwilliams
2008-09-02 22:10 . 08-07-14 19:52 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-08-29 17:37 . 08-08-29 17:37 <DIR> d-------- C:\Program Files\DrayTek Router Tools V2.5.4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 21:49 --------- d-----w C:\Program Files\SolidWorks SolidNetWork License Manager
2008-09-29 00:04 --------- d-----w C:\Program Files\Visipay
2008-09-02 12:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\vuxadaxc
2008-08-26 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 04:46 --------- d-----w C:\Program Files\jkdhfl
2008-08-19 04:09 --------- d-----w C:\Program Files\Trend Micro
2008-08-19 04:02 --------- d-----w C:\Program Files\VISION
2008-08-18 23:14 --------- d-----w C:\Program Files\yxzjkdf
2008-08-06 06:39 --------- d-----w C:\Program Files\Yahoo!
2008-07-29 01:32 --------- d-----w C:\Documents and Settings\Administrator.ULCO.000\Application Data\U3
2008-07-29 00:56 824 ----a-w C:\jcanter.reg
2007-06-28 06:13 480,816 ----a-w C:\Program Files\Sounds.EXE
2004-05-17 05:23 271 ---h--w C:\Program Files\desktop.ini
2004-05-17 05:23 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Tue 2008-08-19_14.03.11.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
- 2008-08-19 04:01:13 201,154 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-09-29 21:49:40 201,155 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
- 1998-06-17 14:00:00 89,360 ------w C:\WINNT\system32\VB5DB.DLL
+ 1998-06-17 15:00:00 89,360 ----a-w C:\WINNT\system32\VB5DB.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-04-14 10:32 68856]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [03-12-04 11:44 385024]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [04-03-18 16:47 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [00-11-04 04:09 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 22:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 22:00 186640]

E:\Documents and Settings\sfuller\Start Menu\Programs\Startup\
OUTLOOK.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-10-22 196296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
SAP Business One Service manager.lnk - E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe [2006-09-21 69632]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-03-02 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFileAssociate"= 0 (0x0)
"ShowSuperHidden"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMsg"= {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll [08-08-19 14:46 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"SENTINEL"= snti386.dll

R0 aac;Adaptec SCSI RAID Miniport Driver;C:\WINNT\system32\drivers\aac.sys [02-10-18 04:01 33840]
R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys [03-06-20 22:00 74448]
R2 APCPBEAgent;APC PBE Agent;C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe [05-04-14 09:40 28672]
R2 B1Lic2005;SAP Business One License Manager 2005;E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe [06-09-21 09:22 1552384]
R2 DXPNetworkSecurityService;Altium Designer Network License Service;E:\Program Files\Altium6\DXPSecurityService.exe [06-03-13 12:46 2550272]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [02-09-21 02:29 53248]
R2 MSSEARCH;Microsoft Search;C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe [02-12-04 09:52 69632]
R2 SBOBackUp;SAP Business One BackUp Service;E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe [06-09-21 14:25 45056]
R2 SBOMail;SAP Business One Messaging Service;E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe [06-09-21 14:25 139264]
R2 SolidWorks SolidNetWork License Manager;SolidWorks SolidNetWork License Manager;C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe [03-03-26 08:00 630272]
R3 TAO_NT_Naming_Service;TAO NT Naming Service;E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe [06-09-27 08:08 36864]
S2 B1EwaService;SAP Business One Early Watch Alert;E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe [06-09-21 14:26 212992]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [02-09-21 02:27 77824]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [02-09-21 02:41 77824]
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe [03-06-20 22:00 745232]
S3 SBODI_Server;SAP Business One DI Server;E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe [06-09-21 14:28 327680]
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys [03-06-20 22:00 12336]
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys [03-06-20 22:00 12664]
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys [03-06-20 22:00 20760]
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys [03-06-20 22:00 18392]
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys [03-06-20 22:00 18264]
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe [03-06-20 22:00 89360]
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe [03-06-20 22:00 25872]
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe [04-02-26 09:59 33552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 07:50:00
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"=" "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe
-> C:\Program Files\jkdhfl\SysMsg.dll
.
Completion time: 2008-09-30 7:51:24 - machine was rebooted [administrator]
ComboFix-quarantined-files.txt 2008-09-29 21:51:19
ComboFix2.txt 2008-09-23 03:12:19
ComboFix3.txt 2008-08-19 04:03:39

Pre-Run: 1,713,426,432 bytes free
Post-Run: 1,641,562,112 bytes free

137


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:07 AM, on 30/09/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\system32\cisvc.exe
E:\Program Files\Altium6\DXPSecurityService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINNT\system32\stisvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\SW_D.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SAP Business One Service manager.lnk = E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'h:\windows\system32\rnr20.dll' missing
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partserver.com/partserver/viewe...3d/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://companyweb/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197435815015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1205844989703
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3906EF1E-A594-4A57-B0DB-2093B894E2EB}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O21 - SSODL: SysMsg - {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: SAP Business One Early Watch Alert (B1EwaService) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe
O23 - Service: SAP Business One License Manager 2005 (B1Lic2005) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Altium Designer Network License Service (DXPNetworkSecurityService) - Unknown owner - E:\Program Files\Altium6\DXPSecurityService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - E:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAP Business One BackUp Service (SBOBackUp) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
O23 - Service: SAP Business One DI Server (SBODI_Server) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe
O23 - Service: SAP Business One Messaging Service (SBOMail) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: TAO NT Naming Service (TAO_NT_Naming_Service) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe

--
End of file - 11004 bytes

#8 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 29 September 2008 - 04:53 PM

I have just done some checks,

The problem is still there.

Cheers,

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 30 September 2008 - 08:28 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Rootkit::
C:\Program Files\jkdhfl\SysMsg.dll

File::
C:\jcanter.reg

Folder::
C:\Program Files\jkdhfl
C:\Program Files\yxzjkdf


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#10 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 30 September 2008 - 05:43 PM

Hi,

Tried this again and same result with google searches.

I noticed after the reboot, combofix runs again and creates the log. As soon as combofix closes, I notice a google icon in the task pane (next to the time) saying "Google detected a change to your search settings."

Hope this helps.

ComboFix 08-09-30.02 - administrator 2008-10-01 8:27:37.5 - NTFSx86
Running from: C:\temp\ComboFix.exe
Command switches used :: U:\R

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-30 07:35 . 08-10-01 08:08 2,872,032 -ra------ C:\temp\ComboFix.exe
2008-09-25 16:23 . 08-09-25 16:23 <DIR> d-------- E:\Documents and Settings\dwilliams\WINDOWS
2008-09-25 16:21 . 08-09-25 16:21 <DIR> d-------- C:\Documents and Settings\dwilliams\WINDOWS
2008-09-25 16:21 . 08-09-25 16:21 <DIR> d-------- C:\Documents and Settings\dwilliams
2008-09-02 22:10 . 08-07-14 19:52 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-08-29 17:37 . 08-08-29 17:37 <DIR> d-------- C:\Program Files\DrayTek Router Tools V2.5.4
2008-08-26 15:01 . 08-08-26 15:01 <DIR> d---s---- E:\Documents and Settings\ahmad\UserData
2008-08-20 12:13 . 08-08-20 12:13 <DIR> d---s---- E:\Documents and Settings\jcherbert\UserData
2008-08-19 14:46 . 08-08-19 14:46 <DIR> d-------- C:\Program Files\jkdhfl
2008-08-19 14:40 . 08-08-19 14:40 <DIR> d---s---- C:\Documents and Settings\Administrator.ULCO.000\UserData
2008-08-19 14:09 . 08-08-19 14:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 09:14 . 08-08-19 09:14 <DIR> d-------- C:\Program Files\yxzjkdf
2008-08-19 09:14 . 08-09-02 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vuxadaxc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 22:32 --------- d-----w C:\Program Files\SolidWorks SolidNetWork License Manager
2008-09-30 07:45 --------- d-----w C:\Program Files\Visipay
2008-08-26 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 04:02 --------- d-----w C:\Program Files\VISION
2008-08-06 06:39 --------- d-----w C:\Program Files\Yahoo!
2008-07-29 01:32 --------- d-----w C:\Documents and Settings\Administrator.ULCO.000\Application Data\U3
2008-06-26 06:24 37,027 ----a-w C:\WINNT\atmoUn.exe
2007-06-28 06:13 480,816 ----a-w C:\Program Files\Sounds.EXE
2004-05-17 05:23 271 ---h--w C:\Program Files\desktop.ini
2004-05-17 05:23 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Tue 2008-08-19_14.03.11.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
- 2008-08-19 04:01:13 201,154 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-09-30 22:33:05 201,159 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-09-30 22:32:36 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_4fc.dat
- 1998-06-17 14:00:00 89,360 ------w C:\WINNT\system32\VB5DB.DLL
+ 1998-06-17 15:00:00 89,360 ----a-w C:\WINNT\system32\VB5DB.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-04-14 10:32 68856]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [03-12-04 11:44 385024]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [04-03-18 16:47 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [00-11-04 04:09 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 22:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 22:00 186640]

E:\Documents and Settings\sfuller\Start Menu\Programs\Startup\
OUTLOOK.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-10-22 196296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
SAP Business One Service manager.lnk - E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe [2006-09-21 69632]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-03-02 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFileAssociate"= 0 (0x0)
"ShowSuperHidden"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMsg"= {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll [08-08-19 14:46 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"SENTINEL"= snti386.dll

R0 aac;Adaptec SCSI RAID Miniport Driver;C:\WINNT\system32\drivers\aac.sys [02-10-18 04:01 33840]
R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys [03-06-20 22:00 74448]
R2 APCPBEAgent;APC PBE Agent;C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe [05-04-14 09:40 28672]
R2 B1Lic2005;SAP Business One License Manager 2005;E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe [06-09-21 09:22 1552384]
R2 DXPNetworkSecurityService;Altium Designer Network License Service;E:\Program Files\Altium6\DXPSecurityService.exe [06-03-13 12:46 2550272]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [02-09-21 02:29 53248]
R2 MSSEARCH;Microsoft Search;C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe [02-12-04 09:52 69632]
R2 SBOBackUp;SAP Business One BackUp Service;E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe [06-09-21 14:25 45056]
R2 SBOMail;SAP Business One Messaging Service;E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe [06-09-21 14:25 139264]
R2 SolidWorks SolidNetWork License Manager;SolidWorks SolidNetWork License Manager;C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe [03-03-26 08:00 630272]
R3 TAO_NT_Naming_Service;TAO NT Naming Service;E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe [06-09-27 08:08 36864]
S2 B1EwaService;SAP Business One Early Watch Alert;E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe [06-09-21 14:26 212992]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [02-09-21 02:27 77824]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [02-09-21 02:41 77824]
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe [03-06-20 22:00 745232]
S3 SBODI_Server;SAP Business One DI Server;E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe [06-09-21 14:28 327680]
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys [03-06-20 22:00 12336]
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys [03-06-20 22:00 12664]
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys [03-06-20 22:00 20760]
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys [03-06-20 22:00 18392]
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys [03-06-20 22:00 18264]
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe [03-06-20 22:00 89360]
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe [03-06-20 22:00 25872]
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe [04-02-26 09:59 33552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 08:33:35
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"=" "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe
-> C:\Program Files\jkdhfl\SysMsg.dll
.
Completion time: 2008-10-01 8:35:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 22:34:55
ComboFix2.txt 2008-09-30 22:25:05
ComboFix3.txt 2008-09-29 21:51:24
ComboFix4.txt 2008-09-23 03:12:19
ComboFix5.txt 2008-09-30 22:27:20

Pre-Run: 1,651,867,648 bytes free
Post-Run: 1,644,511,232 bytes free

136


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:35, on 2008-10-01
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\system32\cisvc.exe
E:\Program Files\Altium6\DXPSecurityService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINNT\system32\stisvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\SW_D.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SAP Business One Service manager.lnk = E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.ulco.000\windows\system32\rnr20.dll' missing
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partserver.com/partserver/viewe...3d/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://companyweb/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197435815015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1205844989703
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3906EF1E-A594-4A57-B0DB-2093B894E2EB}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O21 - SSODL: SysMsg - {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: SAP Business One Early Watch Alert (B1EwaService) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe
O23 - Service: SAP Business One License Manager 2005 (B1Lic2005) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Altium Designer Network License Service (DXPNetworkSecurityService) - Unknown owner - E:\Program Files\Altium6\DXPSecurityService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - E:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAP Business One BackUp Service (SBOBackUp) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
O23 - Service: SAP Business One DI Server (SBODI_Server) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe
O23 - Service: SAP Business One Messaging Service (SBOMail) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: TAO NT Naming Service (TAO_NT_Naming_Service) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe

--
End of file - 11024 bytes

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 01 October 2008 - 07:34 AM

Download this program:

Suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\Program Files\jkdhfl\SysMsg.dll


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go here
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#12 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 01 October 2008 - 04:43 PM

The archive has been sent.

Cheers,

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 02 October 2008 - 09:01 AM

Got it and about to install it to see whats going on.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 02 October 2008 - 08:31 PM

Please download The Avenger to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Copy next text present in the quotebox below and paste it in the View/edit script Window:

    Folders to delete:
    C:\Program Files\jkdhfl
    C:\Program Files\yxzjkdf


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, briefly open a black command window on your desktop, this is normal.
  • After the restart, create a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of avenger.txt into your reply along with a fresh combofix log by using Add/Reply

#15 JimmyJC

JimmyJC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Sydney
  • Local time:07:50 AM

Posted 03 October 2008 - 01:27 AM

No Luck Im afraid...



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not delete folder "C:\Program Files\jkdhfl"
Deletion of folder "C:\Program Files\jkdhfl" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not delete folder "C:\Program Files\yxzjkdf"
Deletion of folder "C:\Program Files\yxzjkdf" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07, on 2008-10-03
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\system32\cisvc.exe
E:\Program Files\Altium6\DXPSecurityService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINNT\system32\stisvc.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\SW_D.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Syslog] C:\Program Files\DrayTek Router Tools V2.5.4\SyslogRd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SAP Business One Service manager.lnk = E:\Program Files\SAP\SAP Business One ServerTools\Service Manager\ServerManager.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator.ULCO.000\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.ulco.000\windows\system32\rnr20.dll' missing
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partserver.com/partserver/viewe...3d/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://companyweb/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197435815015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1205844989703
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3906EF1E-A594-4A57-B0DB-2093B894E2EB}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ulco.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{275AEA3D-092E-4841-AEE6-7168A0843E50}: NameServer = 61.9.194.49,61.9.207.1
O21 - SSODL: SysMsg - {0822C582-84F8-9284-A4A5-0198009085B0} - C:\Program Files\jkdhfl\SysMsg.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: SAP Business One Early Watch Alert (B1EwaService) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\EWA\EwaService.exe
O23 - Service: SAP Business One License Manager 2005 (B1Lic2005) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\B1License.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Altium Designer Network License Service (DXPNetworkSecurityService) - Unknown owner - E:\Program Files\Altium6\DXPSecurityService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - E:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAP Business One BackUp Service (SBOBackUp) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\BackUp\B1backUp.exe
O23 - Service: SAP Business One DI Server (SBODI_Server) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\DI_Server\B1DI_Server.exe
O23 - Service: SAP Business One Messaging Service (SBOMail) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\Mailer\B1mail.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: TAO NT Naming Service (TAO_NT_Naming_Service) - Unknown owner - E:\Program Files\SAP\SAP Business One ServerTools\License\NT_Naming_Service.exe

--
End of file - 10991 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users