Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

newbie needs your expertise on this highjack log


  • This topic is locked This topic is locked
8 replies to this topic

#1 kellyaswift

kellyaswift

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 08 June 2005 - 10:51 AM

Sorry...Spelled hijack wrong...long day. I am bombarded with popups. Think I have several problems - Ebates Moneymaker and IBIS Toolbar, among others. But not sure. I've tried Spybot S & D, AdAware, MS Antispyware, and Spy Control - to no avail. Each shows the problem fixed and then it immediately reappears. I would turn off my system restore but I don't know where it or if it exists on Win 2000. I can't get any work done - please help!

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:40 AM, on 6/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\unumkr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyfd32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [dpnhpast] C:\WINNT\system32\dpnhpast.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.79.downloads.estara.com....125421OneCC.cab
O16 - DPF: {6C9BF525-DA4D-4BB6-BD92-47FBDDB42DF5} (TaxCalculator.CTaxer) - http://prod.comcept.net/ActiveX/TaxerCalculator.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.comcept.net/Viewer/activexviewer.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D312963A-D83D-4766-AB92-DD5A30D5EF95} (CMSProdActiveX.XMLLoad) - http://prod.comcept.net/ActiveX/CMSProdActiveX.CAB
O16 - DPF: {F90D47D0-F243-49B3-9E7B-F2D49567E626} (IEPrntCtl Class) - http://prod.comcept.net/ActiveX/IEPrintControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Edited by kellyaswift, 08 June 2005 - 10:52 AM.


BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:11 PM

Posted 09 June 2005 - 12:08 AM

Hello kellyaswift and welcome to BleepingComputer.

Download LQfix.zip.
- Unzip it to your desktop.
- Do not use it yet.

Download FindQoologic.zip.
- Unzip it to your desktop.
- Do not use it yet.

Configure Windows to enable viewing of Hidden and System files.


Reboot into Safe Mode.


Locate LQFix.bat on your desktop.
- Doubleclick on LQFix.bat. A command window will open and close again, that is normal.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyfd32.exe
O4 - HKCU\..\Run: [dpnhpast] C:\WINNT\system32\dpnhpast.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINNT\system32\unumkr.exe <--Files
C:\winnt\system32\eliteyfd32.exe
C:\WINNT\system32\dpnhpast.exe

Reboot normally.

Run Find-Qoologic2.bat.
-This will generate a log file; please post the entire contents of the log file here for me to see.

Also post a fresh HJT log.
Derfram
~~~~~~

#3 kellyaswift

kellyaswift
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 09 June 2005 - 08:41 AM

Thank you so much for your help! I've followed your directions and everything went great until I tried to run Find-Qoologic2.bat. I received the following error message:

C:\WINNT\system32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Miscrosoft Windows applications.
Choose 'Close' to terminate the application.

I tried to choose 'Ignore' and it would not allow me to.

However, here is my new HJT log. THANKS AGAIN!


Logfile of HijackThis v1.99.1
Scan saved at 9:40:34 AM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtrp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.79.downloads.estara.com....125421OneCC.cab
O16 - DPF: {6C9BF525-DA4D-4BB6-BD92-47FBDDB42DF5} (TaxCalculator.CTaxer) - http://prod.comcept.net/ActiveX/TaxerCalculator.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.comcept.net/Viewer/activexviewer.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D312963A-D83D-4766-AB92-DD5A30D5EF95} (CMSProdActiveX.XMLLoad) - http://prod.comcept.net/ActiveX/CMSProdActiveX.CAB
O16 - DPF: {F90D47D0-F243-49B3-9E7B-F2D49567E626} (IEPrntCtl Class) - http://prod.comcept.net/ActiveX/IEPrintControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:11 PM

Posted 09 June 2005 - 09:35 AM

C:\WINNT\system32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Miscrosoft Windows applications.

Fairly common problem.

Download xp_fix.exe to your desktop and run it. Reboot your computer and give Find-Qoologic2.bat another try.
Derfram
~~~~~~

#5 kellyaswift

kellyaswift
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 09 June 2005 - 10:12 AM

Done. Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINNT\System32\UNUMKR.EXE
* KavSvc C:\WINNT\System32\OGOHIPZ.DLL
* KavSvc C:\WINNT\System32\SUPDATE.DLL
* aspack C:\WINNT\System32\DODRNCB.EXE
* aspack C:\WINNT\System32\REDIT.CPL
* UPX! C:\WINNT\System32\UCI.EXE
* UPX! C:\WINNT\System32\UNUMKR.EXE
* UPX! C:\WINNT\System32\OGOHIPZ.DLL
* UPX! C:\WINNT\System32\SUPDATE.DLL
* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RTRP.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk
rtrp.exe

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:11 PM

Posted 09 June 2005 - 11:42 AM

It looks like either you didn't copy/paste all the Qoologic log, or you did not allow it to finish. We have enough info to continue, but be sure you get the whole log next time.


Please download the Killbox.
- Unzip it to the desktop.
- Run Killbox.
- Select "Delete on Reboot".

Copy the file names below by highlighting them and pressing Control-C:

C:\WINNT\System32\UNUMKR.EXE
C:\WINNT\System32\OGOHIPZ.DLL
C:\WINNT\System32\SUPDATE.DLL
C:\WINNT\System32\DODRNCB.EXE
C:\WINNT\System32\REDIT.CPL
C:\WINNT\System32\UCI.EXE
C:\WINNT\System32\UNUMKR.EXE
C:\WINNT\System32\OGOHIPZ.DLL
C:\WINNT\System32\SUPDATE.DLL
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtrp.exe


- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unumkr.exe reg_run

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Reboot normally once more, then please run and post fresh HJT and Find-Qoologic2 logs.
Derfram
~~~~~~

#7 kellyaswift

kellyaswift
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 09 June 2005 - 12:40 PM

Followed your instructions again.

Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:39:34 PM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.79.downloads.estara.com....125421OneCC.cab
O16 - DPF: {6C9BF525-DA4D-4BB6-BD92-47FBDDB42DF5} (TaxCalculator.CTaxer) - http://prod.comcept.net/ActiveX/TaxerCalculator.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.comcept.net/Viewer/activexviewer.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D312963A-D83D-4766-AB92-DD5A30D5EF95} (CMSProdActiveX.XMLLoad) - http://prod.comcept.net/ActiveX/CMSProdActiveX.CAB
O16 - DPF: {F90D47D0-F243-49B3-9E7B-F2D49567E626} (IEPrntCtl Class) - http://prod.comcept.net/ActiveX/IEPrintControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{07A9ACE1-E153-4AE6-8EF9-BB583392E68E}: NameServer = 205.152.37.254,205.152.0.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe


THANKS AGAIN!

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:11 PM

Posted 09 June 2005 - 02:38 PM

The logs look clean kellyaswift. How are things behaving?
Derfram
~~~~~~

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:11 PM

Posted 16 June 2005 - 12:14 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users