Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Analysis Hijackthis log


  • This topic is locked This topic is locked
11 replies to this topic

#1 Shree

Shree

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 04 May 2005 - 09:29 AM

Dear members,

My Operating system is Windows 2000.
When ever i try to open Taskmansger it opens for a second and then disappers and even i cannot paste the copied items in the system.

I have run Ad-Aware SE Personal and Spybot Search and Destroy.
Spybot detected some problems and fixed them using the 'Fix the selected problem' option of spybot.
but i still haunted with the same problem.
I ran Hijackthis in safe mode and pasting the log details below.
Please help me out.


Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 7:35:59 PM, on 5/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SCardClnt.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.exe
C:\download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.182.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.182.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.182.*;www.demo5.com;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\login.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKLM\..\Run: [Windows Manager Drivers] svscahost.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [IPC Connection] ipcconn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Messenger] winmessenger60.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] wupdatemanager.exe
O4 - HKLM\..\Run: [Shell Logon] C:\login.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wintnt32.exe] wintnt32.exe
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [dwz] C:\WINNT\dwz.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O4 - HKLM\..\RunServices: [Windows Manager Drivers] svscahost.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\RunServices: [IPC Connection] ipcconn.exe
O4 - HKLM\..\RunServices: [Windows Messenger] winmessenger60.exe
O4 - HKLM\..\RunServices: [wintnt32.exe] wintnt32.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Exodus] C:\Program Files\Exodus\Exodus.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Manager Drivers] svscahost.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Windows Messenger] winmessenger60.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] wupdatemanager.exe
O4 - HKCU\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\RunServices: [Windows Manager Drivers] svscahost.exe
O4 - HKCU\..\RunServices: [Windows Messenger] winmessenger60.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Speak by TextToSpeechMP3 - C:\Program Files\TextToSpeechMP3\ttsttsmcom.htm
O9 - Extra button: TextToSpeechMP3 - {03b5d444-9d5c-4361-aab5-f81f37f0f704} - C:\Program Files\TextToSpeechMP3\ttsttsmcomIE.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Change voice - {489BD066-48C3-4c2b-92A6-9311462429F3} - C:\Program Files\TextToSpeechMP3\ttsttsmiecv.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Pause Or Resume Speaking - {6f193b8e-2ad2-44ce-93a7-db3e042589ed} - C:\Program Files\TextToSpeechMP3\pausepeak.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Stop Speaking - {c14815f2-50bc-4f98-8d78-401bcc828a5f} - C:\Program Files\TextToSpeechMP3\stopspeak.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09AACFFE-1AF5-4D88-9C73-B7EFBED02E60}: NameServer = 192.168.182.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D721A-9BB6-410E-ABCF-58EF88C50DE8}: NameServer = 202.88.156.6,202.88.130.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{595615DD-1625-44DB-A549-732F1EE1C838}: NameServer = 202.88.156.6,202.56.250.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AnmChannelFactoryServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
O23 - Service: AnmChannelServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
O23 - Service: AnmLoggerServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
O23 - Service: AnmSupplierServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: CT Bus Broker (CTBusBroker) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Dialogic System Service (Dialogic) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM WebSphere Application Server V6 - ax_winnt135Node01 (IBMWAS6Service - ax_winnt135Node01) - Unknown owner - e:\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS6Service - ax_winnt135Node01 (file missing)
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - D:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\system32\SCardClnt.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: UltraSQL Database Service (UltraSQL_Service) - Unknown owner - E:\psql\bin\post_svc.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)
O23 - Service: Infinite WebMail Service (WebSvcNT) - Unknown owner - D:\PROGRA~1\WebMail\WebSvcNT.EXE

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:48 PM

Posted 04 May 2005 - 10:28 PM

Hello Shree and welcome to the BC forums. It appears that we have several infections here to deal with. This will take multiple stages so please have patience. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\login.exe
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [Windows Manager Drivers] svscahost.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [IPC Connection] ipcconn.exe
O4 - HKLM\..\Run: [Windows Messenger] winmessenger60.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] wupdatemanager.exe
O4 - HKLM\..\Run: [Shell Logon] C:\login.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wintnt32.exe] wintnt32.exe
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [dwz] C:\WINNT\dwz.exe
O4 - HKLM\..\RunServices: [Windows Manager Drivers] svscahost.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\RunServices: [IPC Connection] ipcconn.exe
O4 - HKLM\..\RunServices: [Windows Messenger] winmessenger60.exe
O4 - HKLM\..\RunServices: [wintnt32.exe] wintnt32.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [Windows Manager Drivers] svscahost.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Windows Messenger] winmessenger60.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] wupdatemanager.exe
O4 - HKCU\..\RunServices: [Windows Manager Drivers] svscahost.exe
O4 - HKCU\..\RunServices: [Windows Messenger] winmessenger60.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\login.exe
C:\WINDOWS\system32\picsvr\ <--folder
c:\temp\salm.exe
C:\WINDOWS\seeve.exe
C:\Program Files\Media Access\ <--folder
C:\WINNT\dwz.exe

Search for the files below and delete all instances found. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.svscahost.exe
CTSVCCD.EXE
ipcconn.exe
winmessenger60.exe
wupdatemanager.exe
wintnt32.exe
mouseutils.exe

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #7

AdAware SE
  • Close ALL windows and start Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Shree

Shree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 06 May 2005 - 01:06 AM

Hello OLD TIMER,
Thanks for the reply.It worked and the problem of task manager window disappearing was solved. I could not do online virus scan due to some network problem. But i downloaded the PC Cillin trial version and scanned and alos cleaned the infected viruses. But i am faced with a new problem of copy/paste.

I cannot paste the copied resources with any way (i.e right click,menu,keyboard).
can u help me on this.this is giving me a lot problem as copy paste vwry much neede in daily routine.
I am attaching the latest HijackThis log.
Any help would be appreciated.....
One more prob there are many programs which start poping up as soon as i login..
how can i stop them from executing during start up...


Logfile of HijackThis v1.99.1
Scan saved at 11:27:36 AM, on 5/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\system32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\cpqa1000.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.182.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.182.*;www.demo5.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [dwz] C:\WINNT\dwz.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Exodus] C:\Program Files\Exodus\Exodus.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Speak by TextToSpeechMP3 - C:\Program Files\TextToSpeechMP3\ttsttsmcom.htm
O9 - Extra button: TextToSpeechMP3 - {03b5d444-9d5c-4361-aab5-f81f37f0f704} - C:\Program Files\TextToSpeechMP3\ttsttsmcomIE.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Change voice - {489BD066-48C3-4c2b-92A6-9311462429F3} - C:\Program Files\TextToSpeechMP3\ttsttsmiecv.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Pause Or Resume Speaking - {6f193b8e-2ad2-44ce-93a7-db3e042589ed} - C:\Program Files\TextToSpeechMP3\pausepeak.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Stop Speaking - {c14815f2-50bc-4f98-8d78-401bcc828a5f} - C:\Program Files\TextToSpeechMP3\stopspeak.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09AACFFE-1AF5-4D88-9C73-B7EFBED02E60}: NameServer = 192.168.182.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D721A-9BB6-410E-ABCF-58EF88C50DE8}: NameServer = 202.88.156.6,202.88.130.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{595615DD-1625-44DB-A549-732F1EE1C838}: NameServer = 202.88.156.6,202.56.250.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AnmChannelFactoryServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
O23 - Service: AnmChannelServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
O23 - Service: AnmLoggerServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
O23 - Service: AnmSupplierServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: CT Bus Broker (CTBusBroker) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Dialogic System Service (Dialogic) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM WebSphere Application Server V6 - ax_winnt135Node01 (IBMWAS6Service - ax_winnt135Node01) - Unknown owner - e:\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS6Service - ax_winnt135Node01 (file missing)
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - D:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\system32\SCardClnt.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: UltraSQL Database Service (UltraSQL_Service) - Unknown owner - E:\psql\bin\post_svc.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)
O23 - Service: Infinite WebMail Service (WebSvcNT) - Unknown owner - D:\PROGRA~1\WebMail\WebSvcNT.EXE

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:48 PM

Posted 06 May 2005 - 03:14 PM

Hi Shree. We still have to remove Media Access which is probably where all of the popups are coming from but before we do can you tell me if this machine is on a network using a proxy server? If not then there are a couple of other things that we have to remove also which could have been put there by one of the infections we are cleaning off.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Shree

Shree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 09 May 2005 - 01:29 AM

Hi OT,
The machine is on the network but not using proxy server.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:48 PM

Posted 09 May 2005 - 07:24 AM

Hi Shree. Ok, let's finish removing Media Access.

Step #1

We need to disable TeaTimer so it does not interfere with the fixes we are about to do.
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure Advanced Mode is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck Resident TeaTimer and OK any prompts
  • Restart your computer.
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft AntiSpyware.
  • Click on Options>Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.182.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.182.*;www.demo5.com;<local>
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [dwz] C:\WINNT\dwz.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\Media Access <--folder
C:\WINNT\dwz.exe

Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.

If needed, start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode just stay in Safe Mode until I tell you to reboot normally.

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Shree

Shree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 10 May 2005 - 01:49 AM

Hi OT,
The pop ups have not stopped.There is Media acces folder or dwz.exe in the system.Is their any registry value that needs to be changed to stop pop ups after login?
The two application Exodus and skype keep poping up when i login.
One more problem is I cannot copy/paste files or folders but i can copy paste the contents of files.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:18 PM, on 9/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\system32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Exodus\Exodus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\download\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKLM\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Exodus] C:\Program Files\Exodus\Exodus.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O8 - Extra context menu item: Speak by TextToSpeechMP3 - C:\Program Files\TextToSpeechMP3\ttsttsmcom.htm
O9 - Extra button: TextToSpeechMP3 - {03b5d444-9d5c-4361-aab5-f81f37f0f704} - C:\Program Files\TextToSpeechMP3\ttsttsmcomIE.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Change voice - {489BD066-48C3-4c2b-92A6-9311462429F3} - C:\Program Files\TextToSpeechMP3\ttsttsmiecv.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Pause Or Resume Speaking - {6f193b8e-2ad2-44ce-93a7-db3e042589ed} - C:\Program Files\TextToSpeechMP3\pausepeak.exe
O9 - Extra button: Stop Speaking - {c14815f2-50bc-4f98-8d78-401bcc828a5f} - C:\Program Files\TextToSpeechMP3\stopspeak.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09AACFFE-1AF5-4D88-9C73-B7EFBED02E60}: NameServer = 192.168.182.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D721A-9BB6-410E-ABCF-58EF88C50DE8}: NameServer = 202.88.156.6,202.88.130.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{595615DD-1625-44DB-A549-732F1EE1C838}: NameServer = 192.168.182.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AnmChannelFactoryServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
O23 - Service: AnmChannelServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
O23 - Service: AnmLoggerServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
O23 - Service: AnmSupplierServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: CT Bus Broker (CTBusBroker) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Dialogic System Service (Dialogic) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM WebSphere Application Server V6 - ax_winnt135Node01 (IBMWAS6Service - ax_winnt135Node01) - Unknown owner - e:\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS6Service - ax_winnt135Node01 (file missing)
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - D:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\system32\SCardClnt.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: UltraSQL Database Service (UltraSQL_Service) - Unknown owner - E:\psql\bin\post_svc.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)
O23 - Service: Infinite WebMail Service (WebSvcNT) - Unknown owner - D:\PROGRA~1\WebMail\WebSvcNT.EXE

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:48 PM

Posted 10 May 2005 - 10:34 AM

Hi Shree. the log is clean. There are no signs of viruses or malware at this time. What do the popups that you are getting say? Are they advertising popups of system popups?

As for Skype and Exodus, those are valid applications that have been installed. If you did not install them on your system you can uninstall them from the Add/Remove option in the Control Panel.

Post back with the details regarding the popups and we will continue from there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Shree

Shree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 12 May 2005 - 02:00 AM

OT,
thanks for the overview.
but i have a problem in copy/paste operation.
i cannot copy/paste a folder or a file.
but i can copy paste the contents of file into another file.

below is latest Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:40 PM, on 9/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\system32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Exodus\Exodus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\download\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKLM\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Compaq Print Fax] cpqa1000.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Exodus] C:\Program Files\Exodus\Exodus.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Compaq Print Fax] cpqa1000.exe
O8 - Extra context menu item: Speak by TextToSpeechMP3 - C:\Program Files\TextToSpeechMP3\ttsttsmcom.htm
O9 - Extra button: TextToSpeechMP3 - {03b5d444-9d5c-4361-aab5-f81f37f0f704} - C:\Program Files\TextToSpeechMP3\ttsttsmcomIE.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Change voice - {489BD066-48C3-4c2b-92A6-9311462429F3} - C:\Program Files\TextToSpeechMP3\ttsttsmiecv.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Pause Or Resume Speaking - {6f193b8e-2ad2-44ce-93a7-db3e042589ed} - C:\Program Files\TextToSpeechMP3\pausepeak.exe
O9 - Extra button: Stop Speaking - {c14815f2-50bc-4f98-8d78-401bcc828a5f} - C:\Program Files\TextToSpeechMP3\stopspeak.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09AACFFE-1AF5-4D88-9C73-B7EFBED02E60}: NameServer = 192.168.182.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D721A-9BB6-410E-ABCF-58EF88C50DE8}: NameServer = 202.88.156.6,202.88.130.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{595615DD-1625-44DB-A549-732F1EE1C838}: NameServer = 192.168.182.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AnmChannelFactoryServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
O23 - Service: AnmChannelServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
O23 - Service: AnmLoggerServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
O23 - Service: AnmSupplierServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: CT Bus Broker (CTBusBroker) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Dialogic System Service (Dialogic) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IBM WebSphere Application Server V6 - ax_winnt135Node01 (IBMWAS6Service - ax_winnt135Node01) - Unknown owner - e:\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS6Service - ax_winnt135Node01 (file missing)
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - D:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\system32\SCardClnt.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: UltraSQL Database Service (UltraSQL_Service) - Unknown owner - E:\psql\bin\post_svc.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)
O23 - Service: Infinite WebMail Service (WebSvcNT) - Unknown owner - D:\PROGRA~1\WebMail\WebSvcNT.EXE

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:48 PM

Posted 12 May 2005 - 12:44 PM

Hi Shree. The log is no different. It is clean. The copy/paste function does not appear to be related to any viruses or malware.

What I suggest is posting your question in the Windows 2000 forum and see if someone there can answer your questions.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Shree

Shree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 13 May 2005 - 09:47 AM

Thanks OT for everything...
It was nice communicating with you.

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:48 PM

Posted 13 May 2005 - 12:39 PM

You're welcome Shree. I'm glad that we could help.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users