Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Can't Get Rid Of Trojan


  • This topic is locked This topic is locked
12 replies to this topic

#1 rmk

rmk

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 31 October 2005 - 08:28 PM

Hi,
Below is the hjt logfile. I know that the line "O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\system32\nttm.exe" is a bad item, but I can't get rid of it. and then the search assistants come back. Please help. I can't get on the internet on the computer that is having these problems, so I am using this computer to show the logfile. Thanks for all your help.
rmk


Logfile of HijackThis v1.99.1
Scan saved at 4:09:51 PM, on 10/31/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\nttm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\crbf32.exe
C:\Documents and Settings\jkaplan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qlabj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\jkaplan\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Class - {E668ECFF-2AA3-E8D3-2A82-A75C24E0CF04} - C:\WINNT\javabt32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [crbf32.exe] C:\WINNT\crbf32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redi.webex.com/client/v_mywebex-t20...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3116954-3E6A-4352-B850-B3FE97B3B1F2}: NameServer = 92.3.87.31,92.3.85.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\system32\nttm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 01 November 2005 - 09:08 AM

Hello and welcome to BC!

Please print these instructions out, or write them down, as you can't read them during the fix.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Unzip CWShredder to its own folder (ie c:\CWShredder)

Unzip AboutBuster to its own folder (ie c:\Aboutbuster)

Run the CleanUp! installer. You dont need to do anything with it right now.

Download HomeSearchfix.zip
http://users.pandora.be/marcvn/tools/HSfix.zip
  • Unzip the contents of HSfix.zip (HSfix.reg) to your desktop.
  • Please do not do anything with it yet.
Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Then run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Double-click on HSfix.reg you downloaded earlier.
  • When it asks you to merge the information to the registry click "Yes".
Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, reboot back into normal mode, post back with how things went post as well as all the logs requested along with a fresh HijackThis log. :thumbsup:
Hi there, stranger!

#3 rmk

rmk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 01 November 2005 - 05:05 PM

hi,
I followed all the directions - downloaded and ran about:buster,SpSehjfix, CWShredder, CLEANup1 AND hsfix. But it still didn't get rid of the problem. Here is the hjt log, the SpSeHjfix log and the about:buster log.

Logfile of HijackThis v1.99.1
Scan saved at 4:51:01 PM, on 11/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\crbf32.exe
C:\WINNT\system32\nttm.exe
C:\Documents and Settings\jkaplan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\jkaplan\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Class - {E668ECFF-2AA3-E8D3-2A82-A75C24E0CF04} - C:\WINNT\javabt32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [crbf32.exe] C:\WINNT\crbf32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redi.webex.com/client/v_mywebex-t20...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3116954-3E6A-4352-B850-B3FE97B3B1F2}: NameServer = 92.3.87.31,92.3.85.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\nttm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

SpSeHjfix log:

(11/1/05 3:47:21 PM) SPSeHjFix started v1.1.2
(11/1/05 3:47:21 PM) OS: Win2000 Service Pack 2 (5.0.2195)
(11/1/05 3:47:21 PM) Language: english
(11/1/05 3:47:21 PM) Win-Path: C:\WINNT
(11/1/05 3:47:21 PM) System-Path: C:\WINNT\System32
(11/1/05 3:47:21 PM) Temp-Path: C:\DOCUME~1\jkaplan\LOCALS~1\Temp\
(11/1/05 3:47:33 PM) Disinfection started
(11/1/05 3:47:33 PM) Bad-Dll(IEP): (not found)
(11/1/05 3:47:33 PM) Bad-Dll(IEP) in BHO: (not found)
(11/1/05 3:47:33 PM) UBF: 4 - UBB: 2 - UBR: 11
(11/1/05 3:47:33 PM) UBF: 4 - UBB: 2 - UBR: 11
(11/1/05 3:47:33 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(11/1/05 3:47:33 PM) Stealth-String not found
(11/1/05 3:47:33 PM) Not infected->END

AboutBuster 5.1, reference file 32
Scan started on [11/1/2005] at [3:34:46 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINNT\fekel.dat
Removed File! : C:\WINNT\System32\qlabj.dll
Removed File! : C:\WINNT\System32\rqlab.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:35:16 PM


AboutBuster 5.1, reference file 32
Scan started on [11/1/2005] at [3:45:01 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:45:30 PM


Please advise. Thank you.
rmk

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 02 November 2005 - 01:02 AM

Hi, your log looks LOT better now..

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Network Security Service

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: 11F#`I
    It is IMPORTANT that there is a space in front of the FIRST number 1 or it WON'T work!
  • Click "ok", then reboot
After the reboot, locate the following file and delete if present:

C:\WINNT\system32\nttm.exe

Empty recycle bin. Then post a fresh HiJackThis log. :thumbsup:
Hi there, stranger!

#5 rmk

rmk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 02 November 2005 - 10:44 AM

hi,
Unfortunately this did not fix it. When I try to disable the service 11F#`I, the computer says, "Configuation Manager: a general internal error occured." It is disabled for the moment and comes back. I tried to change the Recovery tab in the properties to "take no action", but I get the same answer: "Configuation Manager: a general internal error occured." Then I deleted the application in the Wnnt system 32 folder, and it recreates a new one. So my new HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:04 AM, on 11/2/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\crbf32.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\BRQIKMON.EXE
C:\Documents and Settings\jkaplan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\jkaplan\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Class - {E668ECFF-2AA3-E8D3-2A82-A75C24E0CF04} - C:\WINNT\javabt32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [crbf32.exe] C:\WINNT\crbf32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redi.webex.com/client/v_mywebex-t20...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3116954-3E6A-4352-B850-B3FE97B3B1F2}: NameServer = 92.3.87.31,92.3.85.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\d3uy32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

And as you see, now 11F#`I is under Workstation NetLogon Service. and the WINNT is d3uy32.exe instead of nttm.exe. So I need more help! Thanks!!!

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 02 November 2005 - 01:34 PM

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Hi there, stranger!

#7 rmk

rmk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 02 November 2005 - 06:21 PM

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.



Hi,
I think this is OK now. Here is my new HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 6:06:33 PM, on 11/2/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\Promon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\jkaplan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\jkaplan\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redi.webex.com/client/v_mywebex-t20...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3116954-3E6A-4352-B850-B3FE97B3B1F2}: NameServer = 92.3.87.31,92.3.85.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csnet.slk.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = csnet.slk.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I do have another question for you. In the services.mgr, the file that is causing all the trouble "Workstation Net Login" is still in the services.mgr, but disabled. Is it possible to delete it? Or should I just leave it there? Thank you so much for your help.

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 03 November 2005 - 12:58 AM

Fix this entry in HijackThis:

O17 - HKLM\System\CCS\Services\Tcpip\..\{C3116954-3E6A-4352-B850-B3FE97B3B1F2}: NameServer = 92.3.87.31,92.3.85.31

As for the service.. If it's disabled, simply follow these instructions :thumbsup:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: 11F#`I
    It is IMPORTANT that there is a space in front of the FIRST number 1 or it WON'T work!
  • Click "ok", then reboot
Post back and let me know how it goes :flowers:
Hi there, stranger!

#9 rmk

rmk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 03 November 2005 - 08:38 AM

Hi,
I know that these servers "NameServer = 92.3.87.31,92.3.85.31" I need to communicate with the network here at the office. So I really am afraid to delete them. Do you really think that I need to do this? I am not at the office right now, but will try to delete the NT service when I go there later today. Thanks again.
rmk

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 03 November 2005 - 08:56 AM

Ok, well if you know you need the entry, then keep it. I just didn't find any good info on it.
Hi there, stranger!

#11 rmk

rmk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 05 November 2005 - 09:01 AM

Thank you so very much! I was able to delete the file and thanks to you that computer is in great shape now. Have a good day and thanks again!!
rmk

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 05 November 2005 - 09:16 AM

You're welcome! :thumbsup:

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
  • EULAlyzer by Javacool <= No need to read End user license agreements when installing software--

    # Discover potentially hidden behavior about the software you're going to install
    # Pick up on things you missed when reading license agreements
    # Keep a saved database of the license agreements you view
    # Instant results - super-fast analysis in just a second
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

Glad I could help :flowers:
Hi there, stranger!

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:55 AM

Posted 04 December 2005 - 09:01 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. Everyone else, please begin a New Topic. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users