Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infested plz help


  • Please log in to reply
4 replies to this topic

#1 MikeFen

MikeFen

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 09 June 2005 - 10:12 AM

Hello -

I have been infested with Spyware/Adware.
NAV is detecting the AlwaysUp trojan virus at least twice a day.

Can help me get rid of this issue.

Below is my HiJackThis log..

Thanks,
Mike
---------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:05:07 AM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Perl\bin\Perl.exe
C:\WINNT\system32\acs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\insight\tools\aiclient.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\PROGRA~1\insight\tools\AICR.EXE
C:\Program Files\Gillette\adm\bin\GillServ.exe
c:\Program Files\Perl\Bin\perl.exe
c:\Program Files\Gillette\Adm\bin\GillMesg.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\RCSERV.EXE
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\TpShocks.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\insight\tools\AISOFTMN.EXE
C:\WINNT\system32\dpmw32.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\program files\plossys\print-to-plossys\seppstarter.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\ICO.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\srepl40m.exe
C:\PROGRA~1\Lotus\SAMETI~1\CConnect.exe
C:\Documents and Settings\fennelm\Desktop\Spyware Remval programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insight.gillette.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Gillette Company
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gbopac.gillette.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Start Telnet Server Service] "net start tlntsvr"
O4 - HKLM\..\Run: [DSLWatch] Perl.exe "C:\Program Files\gillette\adm\bin\DSLWatch.pl"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Asset Insight SUM] C:\PROGRA~1\insight\tools\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [UPDHKCU] "C:\Program Files\perl\bin\perl.exe" "C:\Program Files\gillette\adm\bin\UpdHKCU.pl"
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [Seppstarter] "c:\program files\plossys\print-to-plossys\seppstarter.exe" -allow umaker
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LiveUpdateCheck] C:\Program Files\NavNT\vpdn_lu.exe /fUpdate /s
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [srepl40m] C:\WINNT\system32\srepl40m.exe
O4 - HKCU\..\Run: [BrowserFlags] "C:\Program Files\Microsoft Office\User\BrowserFlags.exe" /S /M="C:\Documents and Settings\fennelm\Config\BrowserFlags.cfg"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=home_page=http://insight.gillette.com
O16 - DPF: Concur Expense Applets - http://10.178.43.24/Applets/cnqr2k4_ie.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gillette.com,braunag.de,dnag.gillette.com,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gillette.com,braunag.de,dnag.gillette.com,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gillette.com,braunag.de,dnag.gillette.com,
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\PROGRA~1\insight\tools\aiclient.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: GillServ - Unknown owner - C:\Program Files\Gillette\adm\bin\GillServ.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: OracleDEFAULT_HOMEClientCache - Unknown owner - c:\progra~1\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Program Files\oracle\ora92\bin\omtsreco.exe
O23 - Service: pcAnywhere Install Service - Unknown owner - C:\Program Files\Symantec\pcAnywhere\pca_run.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - IBM Corporation - C:\WINNT\RCSERV.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: TS EA Access Server - Unknown owner - C:\Program Files\DataMirror\TS EA\Servserv.exe
O23 - Service: TS EA Integration Server - Unknown owner - C:\Program Files\DataMirror\TS EA\is.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe

BC AdBot (Login to Remove)

 


m

#2 MikeFen

MikeFen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 09 June 2005 - 04:12 PM

Forgot to mention in my original post that I have run Ad-Aware and SpyBot many many times without any luck in removing whatever it is that got me.

Thanks in advance.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:15 PM

Posted 10 June 2005 - 05:57 PM

hello MikeFen and welcome to the BC forums. I only see one item that might be questionable. Let's have that file checked out.

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\WINNT\system32\srepl40m.exe
Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 MikeFen

MikeFen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 13 June 2005 - 09:13 AM

Hi OT -

Thankyou for trying to help out with this.
I can not find the C:\WINNT\system32\srepl40m.exe file as requested.
I am still getting pop-ups all the time however.


Below is another HiJack log that I ran today right after I got one of thise blasted pop-ups :
Logfile of HijackThis v1.99.1
Scan saved at 10:07:03 AM, on 6/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Perl\bin\Perl.exe
C:\WINNT\system32\acs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\insight\tools\aiclient.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\PROGRA~1\insight\tools\AICR.EXE
C:\Program Files\Gillette\adm\bin\GillServ.exe
c:\Program Files\Perl\Bin\perl.exe
c:\Program Files\Gillette\Adm\bin\GillMesg.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\RCSERV.EXE
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\TpShocks.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\insight\tools\AISOFTMN.EXE
C:\program files\plossys\print-to-plossys\seppstarter.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\ICO.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\cctresa.exe
C:\WINNT\system32\WISPTIS.EXE
C:\WINNT\system32\dpmw32.exe
C:\PROGRA~1\Lotus\SAMETI~1\CConnect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\fennelm\Desktop\Spyware Remval programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insight.gillette.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Gillette Company
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gbopac.gillette.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DSLWatch] Perl.exe "C:\Program Files\gillette\adm\bin\DSLWatch.pl"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Asset Insight SUM] C:\PROGRA~1\insight\tools\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [UPDHKCU] "C:\Program Files\perl\bin\perl.exe" "C:\Program Files\gillette\adm\bin\UpdHKCU.pl"
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [Seppstarter] "c:\program files\plossys\print-to-plossys\seppstarter.exe" -allow umaker
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LiveUpdateCheck] C:\Program Files\NavNT\vpdn_lu.exe /fUpdate /s
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [cctresa] C:\WINNT\system32\cctresa.exe
O4 - HKCU\..\Run: [BrowserFlags] "C:\Program Files\Microsoft Office\User\BrowserFlags.exe" /S /M="C:\Documents and Settings\fennelm\Config\BrowserFlags.cfg"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=home_page=http://insight.gillette.com
O16 - DPF: Concur Expense Applets - http://10.178.43.24/Applets/cnqr2k4_ie.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gillette.com,braunag.de,dnag.gillette.com,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gillette.com,braunag.de,dnag.gillette.com,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gillette.com,braunag.de,dnag.gillette.com,
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\PROGRA~1\insight\tools\aiclient.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: GillServ - Unknown owner - C:\Program Files\Gillette\adm\bin\GillServ.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: OracleDEFAULT_HOMEClientCache - Unknown owner - c:\progra~1\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Program Files\oracle\ora92\bin\omtsreco.exe
O23 - Service: pcAnywhere Install Service - Unknown owner - C:\Program Files\Symantec\pcAnywhere\pca_run.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - IBM Corporation - C:\WINNT\RCSERV.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: TS EA Access Server - Unknown owner - C:\Program Files\DataMirror\TS EA\Servserv.exe
O23 - Service: TS EA Integration Server - Unknown owner - C:\Program Files\DataMirror\TS EA\is.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe

The thing that really gets me is that sometimes these pop-ups appear when I am not even on the 'Net yet!!!

Think I should simply add a pop-up blocker?

Thanks again,
Mike

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:15 PM

Posted 13 June 2005 - 09:01 PM

Hi MikeFen. There isn't anything in the log to indicate malware at this time. What exactly are the popups that you are receiving. I see a couple of remote access applications here, are you sure that these are not coming from the remote systems that you are connecting to?

Post back with a little more detail regarding the popups and what they say and we'll see if we can narrow down the ccause.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users