Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Persistent Problems


  • This topic is locked This topic is locked
4 replies to this topic

#1 neutrogina

neutrogina

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 04 August 2005 - 07:20 AM

Hi, I am having some persistent problems with virus messages (realtime monitor messages) and Spybot also keeps finding Smitfraud-C, but can't clean it. Here are the messages from my virus checker:

"The Win32.Puper.R was detected in C:\WINDOWS\POPUPER.EXE.0.AVB."
and
"The Win32.Alemod.H was detected in C:\WINDOWS\SYSTEM32\WININET.DLL."

Thanks in advance for looking at this post!

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:17 AM, on 8/04/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Jabber\JabberMessenger.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE Canada
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.can.eds.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.shl.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\lcf\dat\1\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\lcf\dat\1\Mobile" "c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [Refresh] c:\windows\coe\refresh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2gzrll802] "c:\em\opt\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "c:\em\opt\tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [EMFINV] C:\Program Files\Eds\EmfInv\emfinv.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: EDS EIM.lnk = ?
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://sfweb.cio.eds.com/download/CfxIEAx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwca.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123089829597
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://eroom.eds.de/eRoomSetup/client.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {87A7D186-27E6-11D3-A4CB-00C04F72C232} (SAGraphicView Control) - http://www.gsms-am.eds.com/gsmsps/Appl/sagraphicview.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC93F0F5-9259-4642-94EC-FA5BBBC6981E} (BltPrinter.PrintControl) - http://www.gsms-am.eds.com/gsmsps/Appl/BltPrinter.CAB
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://collaborate5.coe.eds.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.corp.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB84038F-8D98-4A73-8306-A79CF5E07983}: Domain = eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB84038F-8D98-4A73-8306-A79CF5E07983}: NameServer = 205.191.24.78,205.191.22.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eds.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eds.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 04 August 2005 - 09:55 AM

Hi, neutrogina,
Welcome :thumbsup:

First of all, we will need to have you create a folder for HJT where you can keep the tool with the Backups folder that it will create.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder.

Right-click on your HJT where it is currently, "Cut" from there. Go to your new folder and "Paste" your HijackThis.exe in there.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido. There should be an icon on your desktop double-click it.
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite
Click on Scanner
Then select "Settings"
Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
Select "OK" and you will return to scanning options.
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Website -> Uncheck "Security Info" if present.

Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 neutrogina

neutrogina
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 05 August 2005 - 11:00 AM

Hi Bugbatter, and thanks for the quick reply. I have done all that you recommended, but unfortunately still have the same problems. Here are the new logs.

Logfile of HijackThis v1.99.1
Scan saved at 11:51:47 AM, on 8/05/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Jabber\JabberMessenger.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE Canada
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.can.eds.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.shl.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\lcf\dat\1\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\lcf\dat\1\Mobile" "c:\em\opt\tivoli\lcf\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [Refresh] c:\windows\coe\refresh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2gzrll802] "c:\em\opt\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "c:\em\opt\tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [EMFINV] C:\Program Files\Eds\EmfInv\emfinv.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: EDS EIM.lnk = ?
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://sfweb.cio.eds.com/download/CfxIEAx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwca.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123089829597
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://eroom.eds.de/eRoomSetup/client.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {87A7D186-27E6-11D3-A4CB-00C04F72C232} (SAGraphicView Control) - http://www.gsms-am.eds.com/gsmsps/Appl/sagraphicview.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC93F0F5-9259-4642-94EC-FA5BBBC6981E} (BltPrinter.PrintControl) - http://www.gsms-am.eds.com/gsmsps/Appl/BltPrinter.CAB
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://collaborate5.coe.eds.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.corp.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB84038F-8D98-4A73-8306-A79CF5E07983}: Domain = eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB84038F-8D98-4A73-8306-A79CF5E07983}: NameServer = 205.191.24.78,205.191.22.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eds.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eds.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - c:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




smitRem log file
version 2.3

by noahdfear

The current date is: Thu 08/04/2005
The current time is: 16:01:10.80

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :thumbsup:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :flowers:




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:59:49 PM, 8/4/2005
+ Report-Checksum: 55BA47E9

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{FDE3577A-6254-181C-4E11-339E4F746BD3} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{69753829-779C-45e7-9D8C-C79CE0989246} -> Spyware.iSearch : Cleaned without backup
C:\WINDOWS\POPUPER.EXE.0.AVB -> Trojan.Puper.w : Cleaned without backup
C:\WINDOWS\system32\INTELL32.EXE.0.AVB -> Trojan.Small.ev : Cleaned without backup
C:\WINDOWS\system32\INTELL32.EXE.1.AVB -> Trojan.Small.ev : Cleaned without backup
C:\WINDOWS\system32\INTELL32.EXE.2.AVB -> Trojan.Small.ev : Cleaned without backup
C:\WINDOWS\system32\INTELL32.EXE.3.AVB -> Trojan.Small.ev : Cleaned without backup
C:\WINDOWS\system32\MSOLE32.EXE.0.AVB -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\msupgr32.exe.tcf -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\SHNLOG.EXE.0.AVB -> Trojan.Puper.af : Cleaned with backup


::Report End

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 05 August 2005 - 04:42 PM

unfortunately still have the same problems

All that cleaning was done and Spybot is still coming up with those two problems?
Please state exactly what symptoms you are still having. Thanks.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 15 August 2005 - 08:26 PM

Due to inactivity, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users