Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Bobv


  • Please log in to reply
16 replies to this topic

#1 bobv

bobv

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 04 November 2005 - 09:18 AM

This is the HijackThis log I was asked to post

Logfile of HijackThis v1.99.1
Scan saved at 15:06:10, on 04/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\BPTOOL~1\TkTrker.Exe
C:\Program Files\PIPC\BIN\pilogsrv.exe
C:\Program Files\PIPC\BIN\pinetmgr.exe
C:\WINNT\System32\Lgnserv.exe
C:\WINNT\System32\RegSrvc.exe
C:\Program Files\PIPC\BIN\pimsgss.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\nvctrl.exe
C:\WINNT\SYSTEM32\mssearchnet.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://globalsearch.bpweb.bp.com/searchleft2.asp?Button=Yes
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BP Group Digital Business
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bp1bocpa001.bp.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.bp.com;*.*.*.bp.com;*.arco.com;*.amoco.com;*.*.amoco.com;*.*.*.amoco.com;*.*.mobil.com;*.*.*.mobil.com;osir.com;*.osir.com;*.*.osir.com;bpamoco.net;172.16.*.*;<local>
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINNT\System32\hp11DD.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BPAnet - {22747870-332D-11d4-8F81-006097BFD80E} - http://bpamoco.net (file missing)
O9 - Extra 'Tools' menuitem: Go to BP - {22747870-332D-11d4-8F81-006097BFD80E} - http://bpamoco.net (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.bpweb.bp.com
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://bperoom.bp.com/eRoomSetup/client.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C4FAC858-07D8-4FD0-9B6B-902E7AD098B2} (GoldMenu.BPMenu) - http://gold.bpweb.bp.com/ocx/GoldMenu.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mymeetingsssl.webex.com/client/v_my...bex/ieatgpc.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://bperoom.bp.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\Software\..\Telephony: DomainName = bp1.ad.bp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O20 - AppInit_DLLs: AeXPrcssAppInitNT.dll
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe (file missing)
O23 - Service: PI-Buffer Server (bufserv) - OSI Software Inc. - C:\Program Files\PIPC\BIN\bufserv.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ToolKit Tracker (PCHK) - Unknown owner - C:\Program Files\BPTOOL~1\TkTrker.Exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\PIPC\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pinetmgr.exe
O23 - Service: BP COE Admin Password Changer (PwdChanger) - Unknown owner - C:\WINNT\System32\Lgnserv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: TDService - Unknown owner - C:\Program Files\Amacom\FlipBack\TDService.exe

BC AdBot (Login to Remove)

 


#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 04 November 2005 - 11:24 AM

Welcome to the forum.

Go to the Control Panel and Add/Remove Programs and uninstall if it exists.
Security Toolbar

Scan with Hijack This and put a checkmark next to the following entry:
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll

Navigate to the following folder and delete the folder in bold
C:\Program Files\Security Toolbar

Next, download CleanUp 4.0 . Install and run it. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.
Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

When Spy Sweeper has updated, reboot to safe mode.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Open Spy Sweeper and click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found. Save the log.

Exit Spy Sweeper.

Reboot to normal mode and post the results from Spy Sweeper along with a new Hijack This log.

#3 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 07 November 2005 - 04:53 AM

Welcome to the forum.

Go to the Control Panel and Add/Remove Programs and uninstall if it exists.
Security Toolbar

Scan with Hijack This and put a checkmark next to the following entry:
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll

Navigate to the following folder and delete the folder in bold
C:\Program Files\Security Toolbar

Next, download CleanUp 4.0 . Install and run it. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.
Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

When Spy Sweeper has updated, reboot to safe mode.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Open Spy Sweeper and click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found. Save the log.

Exit Spy Sweeper.

Reboot to normal mode and post the results from Spy Sweeper along with a new Hijack This log.



#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 07 November 2005 - 07:34 AM

When you respond, just click on the "add reply" button and then you can paste your Hijack This log.

#5 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 07 November 2005 - 09:00 AM

This is the log

Logfile of HijackThis v1.99.1
Scan saved at 11:03:34, on 07/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\BPTOOL~1\TkTrker.Exe
C:\Program Files\PIPC\BIN\pilogsrv.exe
C:\Program Files\PIPC\BIN\pinetmgr.exe
C:\WINNT\System32\Lgnserv.exe
C:\WINNT\System32\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\PIPC\BIN\pimsgss.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://globalsearch.bpweb.bp.com/searchleft2.asp?Button=Yes
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.bpweb.bp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BP Group Digital Business
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bp1bocpa001.bp.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.bp.com;*.*.*.bp.com;*.arco.com;*.amoco.com;*.*.amoco.com;*.*.*.amoco.com;*.*.mobil.com;*.*.*.mobil.com;osir.com;*.osir.com;*.*.osir.com;bpamoco.net;172.16.*.*;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BPAnet - {22747870-332D-11d4-8F81-006097BFD80E} - http://bpamoco.net (file missing)
O9 - Extra 'Tools' menuitem: Go to BP - {22747870-332D-11d4-8F81-006097BFD80E} - http://bpamoco.net (file missing)
O9 - Extra button: OneBP sidebar - {2A788CEE-150C-46e0-97F1-E30F3D0AFAC4} - C:\Program Files\OneBP\OneBP sidebar\ATLBPWorldCompanion.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.bpweb.bp.com
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://bperoom.bp.com/eRoomSetup/client.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C4FAC858-07D8-4FD0-9B6B-902E7AD098B2} (GoldMenu.BPMenu) - http://gold.bpweb.bp.com/ocx/GoldMenu.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mymeetingsssl.webex.com/client/v_my...bex/ieatgpc.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://bperoom.bp.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\Software\..\Telephony: DomainName = bp1.ad.bp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O20 - AppInit_DLLs: AeXPrcssAppInitNT.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe (file missing)
O23 - Service: PI-Buffer Server (bufserv) - OSI Software Inc. - C:\Program Files\PIPC\BIN\bufserv.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ToolKit Tracker (PCHK) - Unknown owner - C:\Program Files\BPTOOL~1\TkTrker.Exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\PIPC\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pinetmgr.exe
O23 - Service: BP COE Admin Password Changer (PwdChanger) - Unknown owner - C:\WINNT\System32\Lgnserv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TDService - Unknown owner - C:\Program Files\Amacom\FlipBack\TDService.exe

#6 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 07 November 2005 - 10:41 AM

Did you complete the instructions I gave you about CleanUp and Spy Sweeper, and deleting the entries with Hijack This?

#7 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 08 November 2005 - 04:41 AM

Did you complete the instructions I gave you about CleanUp and Spy Sweeper, and deleting the entries with Hijack This?


Yes, and problem was solved. I posted a reply but probably did something wrong.
Thanks again for the excellent service. Above, you see the HijackThis log after the Spysweep run.

#8 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 08 November 2005 - 09:51 AM

I'd like to see the report from Spy Sweeper to be sure we've got everything cleaned up

#9 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 15 November 2005 - 02:57 AM

I'd like to see the report from Spy Sweeper to be sure we've got everything cleaned up

Where do I find the report from SpySweeper?

#10 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 15 November 2005 - 07:45 AM

After you've run Spy Sweeper and choose to fix anything it finds, there will be a button to "save report".

#11 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 16 November 2005 - 05:27 AM

After you've run Spy Sweeper and choose to fix anything it finds, there will be a button to "save report".

Ran SpySweeper again and below is logfile. The PCWATCH is OK in my opinion ( local in-house developed application is using it )
********
11:03: | Start of Session, 16 November 2005 |
11:03: Spy Sweeper started
11:03: Sweep initiated using definitions version 572
11:03: Starting Memory Sweep
11:05: Memory Sweep Complete, Elapsed Time: 00:02:21
11:05: Starting Registry Sweep
11:05: Registry Sweep Complete, Elapsed Time:00:00:16
11:05: Starting Cookie Sweep
11:05: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:05: Starting File Sweep
11:10: Found System Monitor: pcwatch
11:10: setup.exe (ID = 167145)
11:14: File Sweep Complete, Elapsed Time: 00:08:12
11:14: Full Sweep has completed. Elapsed time 00:10:58
11:14: Traces Found: 1
********
11:01: | Start of Session, 16 November 2005 |
11:01: Spy Sweeper started
11:03: | End of Session, 16 November 2005 |

#12 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 16 November 2005 - 06:42 AM

After you've run Spy Sweeper and choose to fix anything it finds, there will be a button to "save report".

Following thing were removed by SpySweeper:
dapsol dialer
popuper
psguard desktop hijacker
security2k hijacker
spysheriff
trojan-downloader-zlob

#13 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 16 November 2005 - 07:06 AM

Following thing were removed by SpySweeper:
dapsol dialer
popuper
psguard desktop hijacker
security2k hijacker
spysheriff
trojan-downloader-zlob


It removed these in your last scan?

Edited by viccy, 16 November 2005 - 07:09 AM.


#14 bobv

bobv
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 18 November 2005 - 02:55 AM

Following thing were removed by SpySweeper:
dapsol dialer
popuper
psguard desktop hijacker
security2k hijacker
spysheriff
trojan-downloader-zlob


It removed these in your last scan?

No, they were removed in the first scan I ever did.

#15 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:12:42 PM

Posted 18 November 2005 - 07:18 AM

Could you post a new Hijack This log and maybe we can wrap this up?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users