Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

?anregw, Anreg~1 (.../system32/?stem?)


  • This topic is locked This topic is locked
13 replies to this topic

#1 Treikayan

Treikayan

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 06 July 2006 - 11:42 AM

Hello all,

I'm having trouble, first, ending the daemon of ??anregw.exe in my task manager. It would not let me end the daemon. I did some research and I recognize the problem as malware; however, some of the research I turned up seems to indicate that this program creates files on the hard disk that are not random names and as obscure or unrecognizable files. So, I ran the HJT program to help me. Below is a scan log from HJT. I just need a little help determining which files or keys are infected so I can delete them. Thank you to anyone who has a good eye on this one. :thumbsup:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slpservice.exe
C:\WINNT\system32\slpmonx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\SYSTEM32\??stem32\??anregw.exe
C:\WINNT\thiselt.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\DOCUME~1\PatA\LOCALS~1\Temp\!update.exe
C:\Program Files\atce\trdb.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lbmail/default.aspx
R3 - URLSearchHook: (no name) - {6AD00F43-C2AB-CC57-A532-EE2B51CA839C} - C:\WINNT\system32\sygl.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ifquc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,tbxymfy.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINNT\system32\nodeipproc.dll
O2 - BHO: (no name) - {6AD00F43-C2AB-CC57-A532-EE2B51CA839C} - C:\WINNT\system32\sygl.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINNT\system32\adrotate.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Brct] "C:\Program Files\atce\trdb.exe" -vt tzt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LifeBanc
O20 - AppInit_DLLs: C:\WINNT\system32\csrss.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINNT\system32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Procrastinate Now!!!

BC AdBot (Login to Remove)

 


#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:07:46 AM

Posted 07 July 2006 - 07:37 AM

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. Please make sure that you follow this in the right order as I have listed.

=====================================

Download ATF Cleaner
  • Save it to your Desktop.
  • Do not run it yet. We will use this later.
Download Ewido Anti-Spyware
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Click on the Settings tab.
    • Under How to act? click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan? all boxes should be selected.
    • Under Possibly unwanted software: all boxes should be checked.
    • Under Reports: click on Automatically generate report after every scan.
    • Under What to scan? select Scan every file.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
  • If you are having problems with the updater, you can use this link to manually update ewido » Ewido manual updates.
=====================================

Download Brute Force Uninstaller to your desktop.
  • Right click the file on your Desktop, and choose Extract All.
  • Click Next.
  • In the box to choose where to extract the files to:
  • Click Browse.
  • Click on the + sign next to My Computer
  • Click on Local Disk (C:) or whatever your primary drive is.
  • Click Make New Folder
  • Type in BFU
  • Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download alcanshorty.bfu (rightclick on that link and select save as)
  • Save it in the same folder you made earlier - C:\BFU (Important!)
=====================================

Uninstall Programs
  • Click Start » Control Panel » Add/Remove Programs
  • Find and remove the following program(s) (if present):

    PuritySCAN By OIN
    OIN
    OuterInfo


  • Close Add/Remove Programs window after uninstalling.
  • If there are no entries listed on Add/Remove programs, please download and run this uninstaller: OiUninstaller.exe
=====================================

Reboot into Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
=====================================

Locate and delete the following folder(s), if present : C:\Program Files\PurityScan
=====================================

Run ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

=====================================

Run Ewido Anti-Spyware
  • Please close all Windows, Programs or Browsers.
  • Open Ewido.
  • Click on Scanner
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When scan has finished, at bottom of the screen click Apply all Actions.
  • Click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
=====================================

Run Brute Force Uninstaller

Go to Start » My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Beside the white box field, click the folder icon: Posted Image : select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
=====================================

Restart your computer

=====================================

In your next reply, please include these log(s):
  • HijackThis log (new)
  • Ewido

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 July 2006 - 08:55 AM

Thanks Jag11. I downloaded the programs that you recommended. Before I came back to see if there were any replies here, though I did some cleaning with the HijackThis. Below is the original log; however, I've color-coded some changes. I'm not at the "infected computer" right now. I disconnected it from the domain to do the HijackThis scans and just because the pop-ups were so annoying. :thumbsup:

HijackThis Log file from 7-6-2006 with color-coded changes:

Green = successful fix or delete of the item
Yellow = will not delete
Red = questionable
blue = definite, legitimate item


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slpservice.exe
C:\WINNT\system32\slpmonx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\SYSTEM32\??stem32\??anregw.exe
C:\WINNT\thiselt.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\WINNT\Seiko\slpcap.exe

C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\DOCUME~1\PatA\LOCALS~1\Temp\!update.exe
C:\Program Files\atce\trdb.exe

C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lbmail/default.aspx
R3 - URLSearchHook: (no name) - {6AD00F43-C2AB-CC57-A532-EE2B51CA839C} - C:\WINNT\system32\sygl.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ifquc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,tbxymfy.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINNT\system32\nodeipproc.dll
O2 - BHO: (no name) - {6AD00F43-C2AB-CC57-A532-EE2B51CA839C} - C:\WINNT\system32\sygl.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINNT\system32\adrotate.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Brct] "C:\Program Files\atce\trdb.exe" -vt tzt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LifeBanc
O20 - AppInit_DLLs: C:\WINNT\system32\csrss.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINNT\system32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
[/quote]

Edited by Treikayan, 07 July 2006 - 09:04 AM.

Procrastinate Now!!!

#4 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:07:46 AM

Posted 07 July 2006 - 09:23 AM

Yes, some of those things you fixed are correct, but some are NOT. We don't advice users to fix some things in Hijackthis with themselves, you might just make things worse.

Have you followed my instructions already?
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#5 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 July 2006 - 10:19 AM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:55:42 AM 07/07/06

+ Scan result:



C:\Temp\backups\backup-20060707-090019-177.dll -> Adware.BHO : No action taken.
C:\Temp\backups\backup-20060707-084718-721.dll -> Adware.MediaMotor : No action taken.
C:\Temp\backups\backup-20060707-090019-877.dll -> Adware.PurityScan : No action taken.
C:\WINNT\SYSTEM32\__delete_on_reboot__c_s_r_s_s_._d_l_l_ -> Adware.PurityScan : No action taken.
[1420] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1512] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1568] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1600] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1664] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1712] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1808] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[1848] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[192] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[248] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[260] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[328] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[448] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[480] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[556] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[588] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[608] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[632] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[684] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[716] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[820] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[844] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[928] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[944] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
[968] C:\WINNT\system32\csrss.dll -> Adware.PurityScan : No action taken.
C:\Documents and Settings\PatA\Local Settings\Temp\temp.fr2C94 -> Adware.SideFind : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindIt.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindItHot.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Highlight.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\HighlightHot.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Reference.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\ReferenceHot.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Weather.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafe.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafeA.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\findithotxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\finditxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\games.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\gamesA.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlighthotxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlightxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logo.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logoxp.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\maps.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\maps_over.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\moviesA.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencehotxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencexp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherhotxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherxp.png -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\contexts -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images\clear.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images\cloudy.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images\haze.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images\mcloud.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images\pcloud.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\All Users\Application Data\Starware\images\rain.bmp -> Adware.Starware : No action taken.
C:\Documents and Settings\PatA\Local Settings\Temp\i19.tmp -> Adware.SurfSide : No action taken.
C:\Temp\backups\backup-20060707-090019-297.dll -> Adware.Trafgen : No action taken.
C:\WINNT\SYSTEM32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ -> Downloader.Agent.agw : No action taken.
[1176] C:\WINNT\system32\dmonwv.dll -> Downloader.Agent.agw : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KLAWLAH6\!update-4095[1].0000 -> Downloader.PurityScan.co : No action taken.
C:\Documents and Settings\PatA\Local Settings\Temporary Internet Files\Content.IE5\17VR55CE\!update-4095[1].0000 -> Downloader.PurityScan.co : No action taken.
C:\Program Files\Common Files\Fοnts\spool32.exe -> Downloader.PurityScan.co : No action taken.
C:\WINNT\Temp\!update.exe -> Downloader.PurityScan.co : No action taken.
C:\RECYCLER\S-1-5-21-703276079-287710286-1543857936-1836\Dc1 -> Downloader.Qoologic.bj : No action taken.
C:\WINNT\SYSTEM32\__delete_on_reboot__i_f_q_u_c_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
C:\WINNT\SYSTEM32\__delete_on_reboot__r_v_a_q_c_a_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
C:\WINNT\SYSTEM32\__delete_on_reboot__x_d_a_q_t_i_k_._d_l_l_ -> Downloader.Qoologic.bj : No action taken.
C:\WINNT\SYSTEM32\xtoto.dat -> Downloader.Qoologic.bj : No action taken.
C:\Documents and Settings\PatA\Local Settings\Temporary Internet Files\Content.IE5\8F53YY39\popup[2].1 -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@greatschools.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@snagajob.122.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@ads.addynamix[2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@c.enhance[2].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@c.goclick[1].txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@goldenpalace[1].txt -> TrackingCookie.Goldenpalace : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@ehg-boltmedia.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@ehg-traderpublishing.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@data2.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@h.starware[2].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@try.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@anad.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\PatA\Cookies\pata@anat.tacoda[2].txt -> TrackingCookie.Tacoda :

Logfile of HijackThis v1.99.1
Scan saved at 11:08:34 AM, on 07/07/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slpservice.exe
C:\WINNT\system32\slpmonx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ifquc.exe
C:\WINNT\system32\ifquc.exe
C:\WINNT\system32\ifquc.exe
C:\WINNT\system32\rvaqca.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lbmail/default.aspx
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ifquc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,tbxymfy.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PPMemCheck] D:\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [rneicx] C:\WINNT\system32\rvaqca.exe reg_run
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [nkljd] C:\WINNT\system32\rvaqca.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: kdmri.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LifeBanc
O20 - AppInit_DLLs: C:\WINNT\system32\csrss.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINNT\system32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Procrastinate Now!!!

#6 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:07:46 AM

Posted 07 July 2006 - 07:19 PM

Please run Ewido again and after it finished scanning, make sure to do this :

# When scan has finished, at bottom of the screen click Apply all Actions.
# Click the Save Scan Report button.

* Click the Save Report as button.
* Save the report to your Desktop.


Then post that log along with a new Hijackthis log :thumbsup:

Edited by Jag11, 08 July 2006 - 07:27 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#7 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 July 2006 - 07:41 AM

Sorry it took so long to reply. I wasn't working on the computer for a week. I do have some logs to post though. The first one is Pest Patrol, an in-house anti-spyware program we use in the office. The second is the Ewido Log (per instructions), third is Pest Patrol again, after following instructions for Ewido. Last is the log of Hijack This. When I ran Pest Patrol the first time, I did NOT delete what it found. When I ran it the second time, I DID delete the finds.



[PEST PATROL] - DID NOT DELETE SPYWARE FINDS...
OS: Windows 2000
Product Edition: Corporate
PestPatrol.exe: 12/27/2004 4.4.4.81
PestPatrolCL.exe: 12/15/2004 4.4.4.80
Pest Database: 7/10/2006

Pests found:

AdRotator,HKEY_CLASSES_ROOT\bannerrotator.rotator,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_CLASSES_ROOT\bannerrotator.rotator.1,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic,HKEY_CLASSES_ROOT\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic,HKEY_CLASSES_ROOT\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_CLASSES_ROOT\interface\{407fc66d-6224-4aeb-aa79-8aecb1c4d4a1},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_CLASSES_ROOT\typelib\{defdeada-c390-4eb9-97fa-59d56b21e5d5},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
SmitFraud,HKEY_CURRENT_USER\software\ianitime,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
SafeSurfing,HKEY_CURRENT_USER\software\irismon,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic,HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_LOCAL_MACHINE\software\microsoft\rotator,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Webnexus,HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Mirar,HKEY_LOCAL_MACHINE\software\qstat,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
SafeSurfing,C:\WINNT\system32\unirimon.exe,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
EliteMedia,C:\WINNT\yoinsi.exe,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
TrafficSector,C:\WINNT\SYSTEM32\adrot-uninst.exe,-1247206905,0602ce02b435c6647eca8cfa2e6e06c9,7/14/2006,00-0D-56-C1-22-4A,USA



[EWIDO] - FOLLOWED INSTRUCTIONS of Jet Ian
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:16:46 AM 07/14/06

+ Scan result:



C:\WINNT\SYSTEM32\xtoto.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1144] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1224] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1528] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1552] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1580] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1624] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1636] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1700] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1756] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1856] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1896] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1908] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
[648] C:\WINNT\system32\xdaqtik.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\Documents and Settings\PatA\Cookies\pata@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\PatA\Cookies\pata@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\PatA\Cookies\pata@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).


::Report end



[PEST PATROL] - DELETED SPYWARE SELECTIONS
OS: Windows 2000
Product Edition: Corporate
PestPatrol.exe: 12/27/2004 4.4.4.81
PestPatrolCL.exe: 12/15/2004 4.4.4.80
Pest Database: 7/10/2006

Pests found:

AdRotator,HKEY_CLASSES_ROOT\bannerrotator.rotator,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_CLASSES_ROOT\bannerrotator.rotator.1,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic,HKEY_CLASSES_ROOT\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic,HKEY_CLASSES_ROOT\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_CLASSES_ROOT\interface\{407fc66d-6224-4aeb-aa79-8aecb1c4d4a1},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_CLASSES_ROOT\typelib\{defdeada-c390-4eb9-97fa-59d56b21e5d5},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
SmitFraud,HKEY_CURRENT_USER\software\ianitime,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
SafeSurfing,HKEY_CURRENT_USER\software\irismon,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic,HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1},na,na,7/14/2006,00-0D-56-C1-22-4A,USA
AdRotator,HKEY_LOCAL_MACHINE\software\microsoft\rotator,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Webnexus,HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Mirar,HKEY_LOCAL_MACHINE\software\qstat,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
SafeSurfing,C:\WINNT\system32\unirimon.exe,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
EliteMedia,C:\WINNT\yoinsi.exe,na,na,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic.bj,C:\WINNT\system32\rvaqca.exe,373852809,1dcdaf76521850f8a8980249ba098cf8,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic.bj,C:\WINNT\system32\ifquc.exe,-262931025,34927efd7594648462bb18e713ada55f,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic.bj,C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kdmri.exe,373852809,1dcdaf76521850f8a8980249ba098cf8,7/14/2006,00-0D-56-C1-22-4A,USA
TrafficSector,C:\WINNT\SYSTEM32\adrot-uninst.exe,-1247206905,0602ce02b435c6647eca8cfa2e6e06c9,7/14/2006,00-0D-56-C1-22-4A,USA
Win32.Qoologic.bj,C:\WINNT\SYSTEM32\tbxymfy.exe,1490837153,272e1d5eb4e85c4e03633f7d431fd6be,7/14/2006,00-0D-56-C1-22-4A,USA



[HIJACK THIS LOG]
Logfile of HijackThis v1.99.1
Scan saved at 8:32:35 AM, on 07/14/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slpservice.exe
C:\WINNT\system32\slpmonx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\PestPatrol\PPMemCheck.exe
C:\PestPatrol\PPControl.exe
C:\PestPatrol\CookiePatrol.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINNT\system32\notepad.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lbmail/default.aspx
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ifquc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,tbxymfy.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [rneicx] C:\WINNT\system32\rvaqca.exe reg_run
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [Remove at boot] C:\DeleteAtReboot.bat
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [nkljd] C:\WINNT\system32\rvaqca.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: kdmri.to_be_deleted
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LifeBanc
O20 - AppInit_DLLs: C:\WINNT\system32\csrss.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINNT\system32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

COLD BOOT!
Procrastinate Now!!!

#8 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 July 2006 - 07:57 AM

After a COLD BOOT!

I re ran the Pest Patrol and HijackThis scans:

[PEST PATROL LOG]
Empty - 0 bugs


[HIJACK THIS LOG]
Logfile of HijackThis v1.99.1
Scan saved at 8:47:44 AM, on 07/14/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slpservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\slpmonx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\PestPatrol\PPMemCheck.exe
C:\PestPatrol\PPControl.exe
C:\PestPatrol\CookiePatrol.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lbmail/default.aspx
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ifquc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,tbxymfy.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [rneicx] C:\WINNT\system32\rvaqca.exe reg_run
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [nkljd] C:\WINNT\system32\rvaqca.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LifeBanc
O20 - AppInit_DLLs: C:\WINNT\system32\csrss.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINNT\system32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Procrastinate Now!!!

#9 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:07:46 AM

Posted 14 July 2006 - 08:30 AM

Ok let's continue :thumbsup:

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. It is also important for you to don't miss a step and perform everything in the right order.

=====================================

Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

O20 - AppInit_DLLs: C:\WINNT\system32\csrss.dll

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Locate and delete the following file(s), if present : C:\WINNT\system32\csrss.dll
Tell me if you ran into troubles when deleting this file.

=====================================


Download Qoofix by RubbeR DuckY
  • Unzip all files to C:\Qoofix.
  • Close all windows and programs, including internet windows.
  • Go to the C:\Qoofix and open it, then double-click on Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If QooFix finds an infection, select yes to restart your computer.
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt. Post the contents of that file along with a new Hijackthis log. :flowers:

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#10 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 July 2006 - 12:01 PM

I completed a new scan and fixed the appropriate key; however, I get this error

Posted Image
https://ssl-proxy-updated.herokuapp.com/5ab93559fa1531172137c45ca27645efe9ced8bc/687474703a2f2f69372e70686f746f6275636b65742e636f6d2f616c62756d732f793239392f6d68617261626861756e742f6d65726a696e2e6a7067/

I didn't go any further on the list, until I know for sure if I didn't screw anything up and a normal "reaction." :thumbsup:

I did re-run the HijackThis and item 020 was gone. BTW, thank you for all your support jag11 :flowers:

[Edit]

Also, I checked the system32 folder for csrss.dll. I could not find it; however, csrss.exe does exist and I did NOT delete it. I believe this is a legitimate process.

Edited by Treikayan, 14 July 2006 - 12:14 PM.

Procrastinate Now!!!

#11 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 July 2006 - 01:34 PM

I tried running the Qoofix and it didn't find anything malicious.

Here is the new HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:25:02 PM, on 07/14/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slpservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\slpmonx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\PestPatrol\PPMemCheck.exe
C:\PestPatrol\PPControl.exe
C:\PestPatrol\CookiePatrol.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\EXPLORER.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lbmail/default.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LifeBanc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LifeBanc
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINNT\system32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Procrastinate Now!!!

#12 Treikayan

Treikayan
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 July 2006 - 02:29 PM

Jag11, I would like to thank you once again for all your technical support. I believe the Qoologic is gone and that the computer is clean. :thumbsup:

TAKE A BOW! :flowers:
Procrastinate Now!!!

#13 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:07:46 AM

Posted 14 July 2006 - 07:57 PM

Yes it is! Your log is now clean! Posted Image If you still have any other problems/questions, just post them here.

Update Java
  • Go to Start » Control Panel » Add/Remove Programs.
  • Search for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: Posted Image
  • Click that entry and then click on the Change/Remove button.
  • Then download and install the newest version from here.
Now that you're clean, please follow these simple steps in order to keep your computer clean and secure:

1.) Re-Hide System Files and Folders:
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View tab
  • Deselect the Show hidden files and folders option
  • Select the Hide protected operating system files option
  • Click Yes to confirm
  • Click OK
2.) Reset and Re-enable your System Restore

We need to do this to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Click Start » Run » ( type: SYSDM.CPL ) » OK
  • Click the System Restore tab.
  • Check - Turn off System Restore.
  • Click Apply.
  • Uncheck - Turn off System Restore.
  • Click OK.
You have now flushed your previous System Restore points, so we will make a new one again since your computer is already clean.
  • Go to Start » All Programs » Accessories » System Tools, and select System Restore
  • In the System Restore prompt, select: Create a restore point
  • Click Next
  • Give a description to the new Restore Point. (Something like: Clean PC)
  • Click Create
  • Then close the window
3.) How to Prevent Re-Infection

Please take your time reading on this list, it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this, open Internet Explorer, then and select Tools » Windows Update, and follow the online instructions from there.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Firewall (a must!) - It is definitely a must have. Two good free versions are Kerio and ZoneAlarm.
  • Anti-Virus (a must!) - It is also a must have. Two good programs are Avast and AVG, they're both free.
    Note: You must only use 1 (one) AV because if you have 2 AVs, it will conflict with each other and will only make your system slow.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#14 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:07:46 AM

Posted 16 July 2006 - 06:02 AM

Since this issue appears resolved... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Jet Ian
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users