Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pop up crazy please help i am going mad!


  • Please log in to reply
22 replies to this topic

#1 blackfolder

blackfolder

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 16 June 2005 - 04:46 AM

Hi,

I am new to this forum but have read a number of useful topics on here and i am in need of some desperate help please.

This is my work computer and it is well and truely infected with pop ups. At first it was managable but no it is out of control some times 10 pop up at once and even when i am not on the Interent. No free program seems to beable to cure this problem either which is no surprise reading some of the other topics.

I have run a Hijackthis log but i can only get it to run in safe mode as windows blocks access to it. But the results form safe mode are displayed below.

I also ran a Find-Qoologic2 which did not get block so the results also below are ran in normal mode.

If someone can help me rid this pc of infections i will be very grateful. Here are the 2 logs:-

Cheers

Logfile of HijackThis v1.99.1
Scan saved at 18:28:28, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\KATHRY~1.MCK\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 193.131.115.253 tuxhost
O1 - Hosts: 57.8.16.159 trce.galileo.com
O1 - Hosts: 57.8.16.39 printmanage.galileo.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: SDWin32 Class - {13DBA864-C661-42A4-BDF0-1D899AC89910} - C:\WINDOWS\system32\lcnnd.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hqieegd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [xF7O3qT] shmvices.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\KATHRY~1.MCK\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [gooERkfqV] shgio600.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.4sure.it/VS2/bin/myCioAgt.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2599273a9cfb5c...ip/RdxIE601.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://gopublic.wspan.com/Secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://gopublic.wspan.com/secure/DLLs/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = chelseavillagetravel.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C46A340-237A-42AE-9B09-BD472D7785B5}: NameServer = 192.168.0.215,192.168.0.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.2.203.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: hmiwyar - Unknown owner - C:\WINDOWS\system32\hmiwyar.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* qoologic C:\WINDOWS\System32\QOOL.EXE
* urllogic C:\WINDOWS\AAVMM.DLL
* qoologic C:\WINDOWS\AAVMM.DLL
* ad-beh C:\WINDOWS\System32\QOOL.EXE
* KavSvc C:\WINDOWS\System32\QOOL.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* UPX! C:\WINDOWS\System32\MC-58-~1.EXE
* UPX! C:\WINDOWS\System32\PSOFT1.EXE
* UPX! C:\WINDOWS\System32\QOOL.EXE
* UPX! C:\WINDOWS\System32\SEE041~1.EXE
* UPX! C:\WINDOWS\System32\UCI.EXE
* UPX! C:\WINDOWS\System32\MSCLOC~1.DLL
* UPX! C:\WINDOWS\System32\MSPLOC~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Focalpoint.lnk
Microsoft Office.lnk
Worldspan Filter Agent.lnk

User Startup:
C:\Documents and Settings\kathryn.mckinnon\Start Menu\Programs\Startup
.
..
12Ghosts Popup-Killer.lnk
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ggkmmkgf
<NO NAME> REG_SZ {4f334380-6b5a-4987-9d3a-d6ddf5cefb75}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

BC AdBot (Login to Remove)

 


#2 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 17 June 2005 - 01:41 PM

Hi blackfolder :thumbsup:

Welcome to the forums. You've got quite an assortment of malware there --- let's see what we can do to clean it up. :flowers:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

(If you already have Ad-Aware SE 1.05 and Spybot 1.3 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Please download Ad-Aware SE from here:
http://www.majorgeeks.com/download506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file. Do not run a scan yet.

Next, please download Spybot-S&D from here:
http://shinobiresources.com/Downloads/spybot/spybotsd13.exe
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D --- do not run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please run Ewido, and run a full scan. Save the log from the scan.

Then please run Ad-Aware.

We will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.


Run Spybot. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems".

Then please restart your computer in normal mode.

Post the log from the Ewido scan and a new HijackThis log for me, and we'll go from there. :trumpet:

#3 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 18 June 2005 - 11:35 AM

thats great i will give it a go monday when i am back at work and let you know the results.

#4 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 18 June 2005 - 03:56 PM

Okay! --- no problem. :thumbsup:

#5 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 20 June 2005 - 08:01 AM

:thumbsup: Hi,

Right back at work now and have performed everything you have asked me to so far here are the 2 log results (just to note HJT was run in safe mode as it will not run in normal mode) :-

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:29:37, 20/06/2005
+ Report-Checksum: 2D8A687A

+ Date of database: 20/06/2005
+ Version of scan engine: v3.0

+ Duration: 29 min
+ Scanned Files: 114621
+ Speed: 64.91 Files/Second
+ Infected files: 89
+ Removed files: 88
+ Files put in quarantine: 88
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator.EDT\Local Settings\Temp\Del1BE.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\Administrator.EDT\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\Administrator.EDT\Local Settings\Temporary Internet Files\Content.IE5\4VA7YNE9\2.8.7.4[1].exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddcr.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\administrator@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\administrator@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@abcsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@adtrak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@bravenet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@etype.adbureau[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@fcstats.bcentral[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@server.iad.liveperson[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[12].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[16].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[24].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[29].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[64].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[74].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[77].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[82].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[83].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[88].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[9].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.POP.dl -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\Cookies\kathryn.mckinnon@abcsearch[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\Cookies\kathryn.mckinnon@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\Cookies\kathryn.mckinnon@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\Cookies\kathryn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\Cookies\kathryn[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\Del117.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temporary Internet Files\Content.IE5\IUCOEN8O\l04d3r[1].exe -> TrojanDownloader.Small.amw -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temporary Internet Files\Content.IE5\YVGZ16FY\dbn283[2].exe -> Dialer.Generic -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\DeactivatedItems\80973B5C-CB81-462D-84EA-EC78E7.asq -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\DeactivatedItems\9EC96194-1B62-4911-9C88-3A1646.asq -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\DeactivatedItems\E57B6DEB-709C-445E-A90B-D9923B.asq -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\27B60C0F-4442-417E-AF03-F9CED1\748B05E5-C4EA-4A56-BF43-98C06B -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\574D66B8-D0C4-4B4E-9B38-8ACE45\60A01C10-BD29-4AC9-98F7-E9010C -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\5A947759-D6DC-4EBF-8DD5-B69EAB\CF14479A-E8FB-4C83-8CCE-CFFFB8 -> Spyware.EliteBar.af -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\5BA9A6EC-EA04-4059-B97F-E26C2F\04D1011C-7C8B-47C2-8CED-A522DF -> Spyware.EliteBar.af -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\7653282F-AFB5-4D22-AAFF-07743A\3B81AD13-504D-442A-90CB-BEC4EB -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\7653282F-AFB5-4D22-AAFF-07743A\5F3B89B9-E10F-4A41-81D9-D31CA6 -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\7653282F-AFB5-4D22-AAFF-07743A\C333418F-6FE8-44CC-B20B-93B331 -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\93C667BE-47C3-470C-B356-C8EF6C\39E4DA4A-86E6-4EC1-A02D-1B1969 -> Spyware.VirtualBouncer -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\93C667BE-47C3-470C-B356-C8EF6C\E1638951-D5A4-4830-B942-9313C9 -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\93C667BE-47C3-470C-B356-C8EF6C\F6EE926E-79DF-4AC6-8CFF-5DADB1 -> Spyware.VirtualBouncer.j -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\9D3743C2-B952-4999-9F52-E8714A\0B54070E-89E8-4FB3-BA2D-485195 -> Spyware.Small.et -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\B4957B07-434B-4CFE-81BF-2A234D\C01970A3-F22C-40D3-A6AE-4E9364 -> Spyware.Small.et -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\D701CC92-FC12-4ED9-A2DE-47AFCD\3AC1A6DE-210C-4746-AA7D-166012 -> Spyware.HotSearchBar -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\E3B1B49F-5A3D-4775-8FD9-A1A76D\00FEBBE5-2A63-45C0-BDD9-F2E03C -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\3E031397-44D9-4DAE-8EBA-38F0B6 -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\4A421168-8379-4D1A-B586-64DC26 -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\6738DA4D-7763-483C-9728-89ACC2 -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\9D3BA7E7-F85A-4C16-B968-6B23E3 -> TrojanDownloader.Qoologic.l -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\A158302B-56AC-47C9-9070-749C90 -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\A39AF3FB-4441-4BAA-AF58-2D9458 -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\A7335267-79FD-4F73-863B-66E96C -> Trojan.Registrator.b -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\F4C2F99D-7203-403E-AB71-E3EC27\CCC8B700-CEA4-4B39-B976-C85C73 -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\system32\asms.exe -> TrojanDropper.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\WINDOWS\system32\ccqddqc.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\dbnanup.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINDOWS\system32\ddebject.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\WINDOWS\system32\msclock32.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\msplock32.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\polrtosa.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINDOWS\system32\ppboobp.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\qqyww.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\rrauua.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\system32\wmconfig.cpl -> TrojanDropper.Win32.Small.wc -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 13:51:43, on 20/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 193.131.115.253 tuxhost
O1 - Hosts: 57.8.16.159 trce.galileo.com
O1 - Hosts: 57.8.16.39 printmanage.galileo.com
O2 - BHO: SDWin32 Class - {13DBA864-C661-42A4-BDF0-1D899AC89910} - C:\WINDOWS\system32\lcnnd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\KATHRY~1.MCK\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.4sure.it/VS2/bin/myCioAgt.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2599273a9cfb5c...ip/RdxIE601.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://gopublic.wspan.com/Secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://gopublic.wspan.com/secure/DLLs/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = chelseavillagetravel.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C46A340-237A-42AE-9B09-BD472D7785B5}: NameServer = 192.168.0.215,192.168.0.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.2.203.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



Let me know what you think and next steps to take.

Thanks again for the help

#6 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 20 June 2005 - 11:26 AM

Fantastic --- that is looking a lot better :thumbsup:

Let's clean up the rest. Please run HijackThis, click Scan, and check:

O2 - BHO: SDWin32 Class - {13DBA864-C661-42A4-BDF0-1D899AC89910} - C:\WINDOWS\system32\lcnnd.dll
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\KATHRY~1.MCK\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2599273a9cfb5c...ip/RdxIE601.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close all open windows and click Fix Checked.

Then go to Start -> Control Panel -> Add/Remove Programs and remove the following:

CasinoClient
Cas
Media Access
180client (or 180solutions)

Then delete the folder:

C:\Program Files\Cas

Also delete the files:

C:\temp\stubinstaller6480.exe
C:\WINDOWS\cfgmgr52.dll

Please download CCleaner from here:
http://www.ccleaner.com
Install and run it, and clean out your Temporary and Temporary Internet Files (as well as anything else you may want to clean out.)

Then please restart your computer and post a new HijackThis log (see if you can get a log from normal mode this time.) :flowers:

#7 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 21 June 2005 - 04:48 AM

Ok next stage is complete :thumbsup:

When I deleted the folder C:\Program Flies\Cas I also spotted a folder called CasStub which I don't recognise I have left it there for now as I am not sure if it is connected to the Cas folder ?

HJT still will not run in normal mode it is because of the McAfee VirusScan Asap that runs on all the pc's at work as soon as you go to the file it deletes it and I can't seem to stop it from running. So here is the log from safe mode and also at the end is a log from FQ2 normal mode, not sure if it is any good or not but thought I would include it anyway for you.

Also I shouldn't speak too soon but I have not had one pop up whilst writing this! :flowers:

Thanks again I await the next instructions master

Logfile of HijackThis v1.99.1
Scan saved at 10:29:05, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 193.131.115.253 tuxhost
O1 - Hosts: 57.8.16.159 trce.galileo.com
O1 - Hosts: 57.8.16.39 printmanage.galileo.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.4sure.it/VS2/bin/myCioAgt.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://gopublic.wspan.com/Secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://gopublic.wspan.com/secure/DLLs/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = chelseavillagetravel.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C46A340-237A-42AE-9B09-BD472D7785B5}: NameServer = 192.168.0.215,192.168.0.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.2.203.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\AAVMM.DLL
* qoologic C:\WINDOWS\AAVMM.DLL
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* UPX! C:\WINDOWS\System32\SEE041~1.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Focalpoint.lnk
Microsoft Office.lnk
Worldspan Filter Agent.lnk

User Startup:
C:\Documents and Settings\kathryn.mckinnon\Start Menu\Programs\Startup
.
..
12Ghosts Popup-Killer.lnk
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ggkmmkgf
<NO NAME> REG_SZ {eafec25f-9861-4bb3-9eb3-dba13fcb2476}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

#8 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 21 June 2005 - 10:31 AM

Ohhhhh that's why HijackThis won't run. McAfee has been falsely detecting HJT as a worm for a few months now --- see Merijn's page for details:
http://www.merijn.org

I had thought that just updating McAfee's definitions fixed that problem. If not, can you somehow set McAfee just to ignore the HijackThis file? That is quite annoying....

Well, it is looking better each time. I want to get rid of a few remaining entries.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. :thumbsup:

#9 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 21 June 2005 - 11:21 AM

I have unistalled McAfee as we don't have a license with them anymore, it never seems to do anything apart from block good programs. I can always get it off the server again if needs be.

Ok so I have completed the next part and we have a HJT log from normal mode :thumbsup:

Whilst working I did get some more pop ups so hopefully none of the ones we got rid of have reappeard. Anyway here are the 2 new logs:-

Logfile of HijackThis v1.99.1
Scan saved at 17:17:33, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINDOWS\system\jrvu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 193.131.115.253 tuxhost
O1 - Hosts: 57.8.16.159 trce.galileo.com
O1 - Hosts: 57.8.16.39 printmanage.galileo.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://gopublic.wspan.com/Secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://gopublic.wspan.com/secure/DLLs/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = chelseavillagetravel.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C46A340-237A-42AE-9B09-BD472D7785B5}: NameServer = 192.168.0.215,192.168.0.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:08:17, 21/06/2005
+ Report-Checksum: 222D3D

+ Date of database: 21/06/2005
+ Version of scan engine: v3.0

+ Duration: 13 min
+ Scanned Files: 71117
+ Speed: 87.59 Files/Second
+ Infected files: 12
+ Removed files: 12
+ Files put in quarantine: 12
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@abcsearch[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn.mckinnon@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[10].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Cookies\kathryn[9].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\kathryn.mckinnon\Local Settings\Temporary Internet Files\Content.IE5\FE0VJPKD\l04d3r[1].exe -> TrojanDownloader.Small.amw -> Cleaned with backup


::Report End

#10 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 21 June 2005 - 07:26 PM

Hmmm... that looks clean to me. Are you still getting the popups? Where are they from? What do they look like?

#11 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 22 June 2005 - 03:33 AM

well that's good news, I will monitor it for a few hours and report back. One thing that happens every morning or when the pc is restared is that Giantantispyware alerts and says AFA Internet Enhancement is trying to install, it gives the option to remove which I have taken but it always comes back :thumbsup:

I have been on the Spyware Removal & Malware Self-Help and Reading Room forum read and followed instructions to remove this but still it comes back so it makes me worry what is lurking beneath.

Anyway I will report back later. Thanks for all the help it is a hundred times better :flowers:

#12 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 22 June 2005 - 10:20 AM

Let's try this --- please disable Giant Antispyware completely, restart your computer, and post a new HijackThis log. Then hopefully I will be able to see whatever it is that is still there. :thumbsup:

#13 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 22 June 2005 - 10:46 AM

Ok I have shut it off restarted and here is the HJT log. The good news is though not one single pop up :thumbsup: so if this is the only problem it's not the end of the world.

Logfile of HijackThis v1.99.1
Scan saved at 16:45:42, on 22/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system\jrvu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 193.131.115.253 tuxhost
O1 - Hosts: 57.8.16.159 trce.galileo.com
O1 - Hosts: 57.8.16.39 printmanage.galileo.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://gopublic.wspan.com/Secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://gopublic.wspan.com/secure/DLLs/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = chelseavillagetravel.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C46A340-237A-42AE-9B09-BD472D7785B5}: NameServer = 192.168.0.215,192.168.0.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chelseavillagetravel.co.uk
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

#14 Swandog46

Swandog46

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 22 June 2005 - 11:09 AM

Hi blackfolder :thumbsup:

Just as I suspected, the problematic entry showed up this time :flowers:

Please run HJT, click Scan, and check:

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

Close all open windows except for HijackThis and click Fix Checked.

Then delete the file:

C:\WINDOWS\VCMnet11.exe

Also please find the file:

C:\WINDOWS\system\jrvu.exe

and submit it for an online virus scan at:

http://virusscan.jotti.org/

I am not sure if it is bad or not. :trumpet: Post the results of the scan here for me.

Please also restart, run a full scan with Ewido, and post a new HijackThis log. :inlove:

#15 blackfolder

blackfolder
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 22 June 2005 - 11:23 AM

yep I think its a baddie! Here are the results from the online scan. I am doing the rest now.

Service load: 0% 100%

File: jrvu.exe
Status: INFECTED/MALWARE
MD5 66a7c252f167c0b1e1e7c5437e673a89
Packers detected: -
Scanner results
AntiVir Found Heuristic/Trojan.Downloader (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Generic.AAV
BitDefender Found Trojan.Downloader.Small.AYH
ClamAV Found Trojan.Downloader.Small-589
Dr.Web Found Trojan.Click.523
F-Prot Antivirus Found W32/Downloader.CSE
Fortinet Found W32/Registrator.B-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.ayh
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found Trojan-Downloader.Win32.Small.ayh




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users