Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Please help Diagnose - Angela


  • Please log in to reply
11 replies to this topic

#1 Angela12345

Angela12345

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 01 January 2005 - 11:36 PM

About 10 days ago I got hijacked (I think). The virus scan I am using was put on my computer by the guys that set up our server at work & is called SonicWall which uses VirusScan ASAP by McAfee. All along I thought this was a firewall as well, but the more I have looked into it, I think this is just virus protection.

When it happened, I immediately ran a virus scan & didn't find anything. I have spent the last week reading about how to fix this. Had no idea there was so much that needed to be done to protect myself ! I thought if I had virus protection I was fine. Have learned a lot ... I have switched to Firefox as my browser, downloaded & ran both Adaware (found 255 objects!) & then Spybot, and also installed Spyware Blaster. I have not yet checked for critical updates (Windows 2000 Professional) or verified if I have a firewall or not. Is there anything else I need to do that I haven't listed here ?

After running Adaware & Spybot, I *think* I still have problems with the following ... ClearSearch, PeopleOnPage, 180Solutions, DSO Exploit. The version of HijackThis that I downloaded was 1.99.0, so I did need to use the 1.98.2 version. At any rate, HijackThis did not crash when I created the log.

As a somewhat related issue, my computer takes forever to boot up - like 10 minutes to turn my computer on in the mornings. This has always been a problem. Would this be because it is running a lot of programs or processes at startup that I maybe don't need it to ? How can I find out what it is running and what is safe to remove ? Thanks for your help !!!!

Edited: Thought I should mention that my husband works for IBM & this was originally his work computer that I inherited. It could be running a lot of things at startup that he needed for work that I don't need or use. I don't know how to differentiate what they may be, though. This is an IBM Thinkpad T20 with Pentium 3 700 Mhz and 256 RAM.



Logfile of HijackThis v1.99.0
Scan saved at 10:30:31 PM, on 1/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\C4EBReg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\drivers\ldlcserv.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\myCIO\Agent\swAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\secure.exe
C:\WINNT\System32\mdtevent.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Application Data\mroh.exe
C:\WINNT\System32\??rvices.exe
C:\WINNT\System32\lfbw400.exe
C:\WINNT\System32\qkvkqi.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {134E6708-D4B2-488A-912B-A21815AFE428} - C:\WINNT\System32\hzpey.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {9E438B79-8928-4819-8631-A93DB27C8AED} - C:\WINNT\System32\lpwbf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - C:\WINNT\System32\pmdb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4EBReg\isamsmt.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [diaqquum] C:\WINNT\System32\istrwh.exe
O4 - HKLM\..\Run: [hzpeyc] C:\WINNT\System32\hzpeyc.exe
O4 - HKLM\..\Run: [lpwbfc] C:\WINNT\System32\lpwbfc.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\secure.exe
O4 - HKLM\..\Run: [qF9i3Eh] mdtevent.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Awoa] C:\Documents and Settings\Administrator\Application Data\mroh.exe
O4 - HKCU\..\Run: [Lal] C:\WINNT\System32\??rvices.exe
O4 - HKCU\..\Run: [boqsRONtW] lfbw400.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to TO DO LIST.xls.lnk = C:\Documents and Settings\Administrator\My Documents\TO DO LIST.xls
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .bqy: C:\Program Files\Internet Explorer\PLUGINS\npbqs32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .xls: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST25 - http://sametime.cba.ufl.edu/sametime/stmee...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinternet.org/controls/LTOCX14N.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://conundrum.vailresorts.com/icm/caller.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-1.ibm.com/tools/print/plugin/ibmgpws.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.unionconcrod.org/imw32o40.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/controls/prntpro2.CAB
O16 - DPF: {CA970A6F-2347-4622-AD7C-2B3CB8B659B1} (JNILoader Control) - http://sametime.cba.ufl.edu/sametime/stmee...STJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB54B847-0E47-4B34-B3ED-BF6428BACDD0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.1.107.dll
O23 - Service: ADSM Client Acceptor - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmcad.exe
O23 - Service: ADSM Remote Client Agent - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmagent.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service - IBM Global Services - C:\Program Files\C4EBReg\isamsmt.exe
O23 - Service: ISSI EZUpdate - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: LocalSystem - Unknown - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINNT\myCIO\VScan\McShield.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: McAfee Agent - Network Associates, Inc. - C:\WINNT\myCIO\Agent\myAgtSvc.exe
O23 - Service: Network Configuration Service - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: SonicWall VPN Client Service - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SonicWALL Agent Service - Network Associates, Inc. - C:\WINNT\myCIO\Agent\swAgent.exe
O23 - Service: TrcBoot - Unknown - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by Angela12345, 02 January 2005 - 12:15 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:34 PM

Posted 02 January 2005 - 08:38 AM

You have one (or more) of these programs running on your machine and that is good.

Winpatrol
Spywareguard
Spybot s&d (Teatimer option)

But prior to doing the fix below with hijackthis they need to be turned off.
Please do the following.

Right click the running icon of spybot's teatimer, and choose exit.
Right click the running icon of winpatrol, and choose exit.
Right click the running icon of Spywareguard, it will open the program, Menu, file, exit, and confirm the programs close.

Unless they are turned off they could interfer with the fix by hijackthis.




Please download and install CWShredder.
http://cwshredder.net/bin/CWSInstall.exe


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: SDWin32 Class - {134E6708-D4B2-488A-912B-A21815AFE428} - C:\WINNT\System32\hzpey.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O2 - BHO: SDWin32 Class - {9E438B79-8928-4819-8631-A93DB27C8AED} - C:\WINNT\System32\lpwbf.dll
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - C:\WINNT\System32\pmdb.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [diaqquum] C:\WINNT\System32\istrwh.exe
O4 - HKLM\..\Run: [hzpeyc] C:\WINNT\System32\hzpeyc.exe
O4 - HKLM\..\Run: [lpwbfc] C:\WINNT\System32\lpwbfc.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\secure.exe
O4 - HKLM\..\Run: [qF9i3Eh] mdtevent.exe
O4 - HKCU\..\Run: [Awoa] C:\Documents and Settings\Administrator\Application Data\mroh.exe
O4 - HKCU\..\Run: [Lal] C:\WINNT\System32\??rvices.exe
O4 - HKCU\..\Run: [boqsRONtW] lfbw400.exe


Reboot your computer into Safe Mode




Open CWShredder and click "Fix".



Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINNT\BTGrab.dll
C:\WINNT\Helper101.dll
C:\WINNT\System32\hzpey.dll
C:\WINNT\DOWNLO~1\search3.dll
C:\WINNT\System32\lpwbf.dll
C:\WINNT\System32\pmdb.dll
C:\Program Files\CSBB <-- this folder
C:\WINNT\System32\istrwh.exe
C:\WINNT\System32\hzpeyc.exe
C:\WINNT\System32\lpwbfc.exe
C:\WINNT\System32\secure.exe
C:\WINNT\System32\mdtevent.exe
C:\Documents and Settings\Administrator\Application Data\mroh.exe
C:\WINNT\System32\lfbw400.exe




Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Wild Tangent
Viewpoint Manager
Viewpoint Media Player




Please delete these folders using Windows Explorer(if present):

C:\Program Files\WildTangent
C:\Program Files\Viewpoint




Run a full scan with Adaware while in Safe Mode.




Reboot your computer to go back to normal mode.



Please run these two online scans. Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/co...n_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.




Please post a new hijackthis log and we'll see what's left.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Angela12345

Angela12345
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 02 January 2005 - 11:43 AM

You have one (or more) of these programs running on your machine and that is good.

Winpatrol
Spywareguard
Spybot s&d (Teatimer option)

But prior to doing the fix below with hijackthis they need to be turned off.
Please do the following.

Right click the running icon of spybot's teatimer, and choose exit.
Right click the running icon of winpatrol, and choose exit.
Right click the running icon of Spywareguard, it will open the program, Menu, file, exit, and confirm the programs close.

Unless they are turned off they could interfer with the fix by hijackthis.


Hi Sam -
Thanks for taking the time to help me!
I think I need very rudimentary help. LOL. I can't figure out how to exit those programs. I don't see any running icons for any of them. When I do ctrl-alt-del, I can see 'TeaTimer.exe' running in processes in my windows task manager. The only things I see in applications is HijackThis & this Firefox browser window. I don't know what the other two are called or how to find them and I'm not sure how to turn off that TeaTimer.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:34 PM

Posted 02 January 2005 - 02:01 PM

Look for the icon in your taskbar, lower right side of your screen. Right click on it and select Exit. Or you can just end the process with Windows Task Manager.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Angela12345

Angela12345
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 02 January 2005 - 02:14 PM

I rebooted my computer & found the icon for the spybot teatimer. Even after I exited it, it is still showing up in processes in the task manager. Is this ok ? I don't see the other 2 programs you told me to close, but also, I don't know what their filenames are.

BTW - Is it ok for my virus protection to be running when I do all this ?

Edited by Angela12345, 02 January 2005 - 02:19 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:34 PM

Posted 02 January 2005 - 02:30 PM

Yes, that's OK. Go ahead and proceed with the fix and if Teatimer pops up and says that something is changing, just tell Teatimer to allow the change to happen.

Keep your antivirus running.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Angela12345

Angela12345
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 03 January 2005 - 01:54 AM

Sorry it has taken so long to get back to you. My computer is soooo slow running these scans and reboots.

CWShredder said CoolWebSearch was not found on this system. Which I thought was odd because later Adaware did find it.

Was I supposed to delete the list of 14 files or directories using Windows Explorer ? That's what I used and then I went and emptied them from my recycle bin.

I did find most of them. I didn't know if this was important, but -- when deleting C:\WINNT\System32\hzpey.dll and \hzpeyc.exe, I also found similar file names like \hzpeya.xml, \hzpeyb.xml, \hzpeyd.exe, \hzpeyf.exe. There were other files on the delete list that had similar file names like that (like \lpwbf.dll), however, I only deleted the ones you specifically said to delete.

I was able to remove the entries from Add/Remove Programs in the Control Panel. They were not present when I checked from Windows Explorer.

When I ran Adaware in Safe Mode, it found 14 critical objects -- one thing that it said it could not clean and asked if I wanted to run Adaware again on reboot. I clicked yes and rebooted into normal mode. It did not find anything on the 2nd run. I saved both of those Adaware logs if needed.

I was able to run Housecall from Internet Explorer. It only found one thing and it said it was non cleanable ... the virus was called TROJ NARRATOR.A. The file was c:\WINNT\system32\iplpiy.dll. I didn't do anything with it.

I was NOT able to run the Panda ActiveScan. When I tried running it from Internet Explorer, nothing at all happened when I clicked on scan. At the bottom of the window where you can see the address of a link you are going to when you mouseover, it says ... java script:pp(1,2,63); ... It says the same thing at the bottom of the Firefox browser window, but when I clicked on scan from Firefox, it gave me a 'browser not supported' message window.



Logfile of HijackThis v1.99.0
Scan saved at 1:11:42 AM, on 1/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\C4EBReg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\drivers\ldlcserv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\myCIO\Agent\swAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qkvkqi.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINNT\myCIO\Agent\myagttry.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\wisptis.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {134E6708-D4B2-488A-912B-A21815AFE428} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9E438B79-8928-4819-8631-A93DB27C8AED} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4EBReg\isamsmt.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [uidqnson] C:\WINNT\System32\istrwh.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to TO DO LIST.xls.lnk = C:\Documents and Settings\Administrator\My Documents\TO DO LIST.xls
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .bqy: C:\Program Files\Internet Explorer\PLUGINS\npbqs32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .xls: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST25 - http://sametime.cba.ufl.edu/sametime/stmee...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinternet.org/controls/LTOCX14N.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://conundrum.vailresorts.com/icm/caller.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-1.ibm.com/tools/print/plugin/ibmgpws.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.unionconcrod.org/imw32o40.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/controls/prntpro2.CAB
O16 - DPF: {CA970A6F-2347-4622-AD7C-2B3CB8B659B1} (JNILoader Control) - http://sametime.cba.ufl.edu/sametime/stmee...STJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB54B847-0E47-4B34-B3ED-BF6428BACDD0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.1.107.dll
O23 - Service: ADSM Client Acceptor - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmcad.exe
O23 - Service: ADSM Remote Client Agent - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmagent.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service - IBM Global Services - C:\Program Files\C4EBReg\isamsmt.exe
O23 - Service: ISSI EZUpdate - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: LocalSystem - Unknown - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINNT\myCIO\VScan\McShield.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: McAfee Agent - Network Associates, Inc. - C:\WINNT\myCIO\Agent\myAgtSvc.exe
O23 - Service: Network Configuration Service - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: SonicWall VPN Client Service - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SonicWALL Agent Service - Network Associates, Inc. - C:\WINNT\myCIO\Agent\swAgent.exe
O23 - Service: TrcBoot - Unknown - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:34 PM

Posted 03 January 2005 - 04:58 PM

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R3 - Default URLSearchHook is missing
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: (no name) - {134E6708-D4B2-488A-912B-A21815AFE428} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O2 - BHO: (no name) - {9E438B79-8928-4819-8631-A93DB27C8AED} - (no file)
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - (no file)
O4 - HKLM\..\Run: [uidqnson] C:\WINNT\System32\istrwh.exe


Delete these files if found:

C:\WINNT\System32\istrwh.exe
C:\WINNT\ZServ.dll


How is your computer running now? You've got a lot of optional items that could be removed, but there's very little malware left. Reboot your computer and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Angela12345

Angela12345
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 03 January 2005 - 10:54 PM

Thanks so much for your help !!!!!

I checked the things you indicated, closed all browsers and windows, and clicked Fix Checked, then rebooted, but some of them are still showing on the log. :thumbsup:

My computer is running better now (hardly any popups at all anymore - yay!). But I will take any advice to make it run even better ! I want to close all of these optional items that I don't need. Most of them I don't even know what they are when I look at the hijack log. My computer takes forever to boot up - like 10 minutes to turn my computer on in the mornings. This has always been a problem. My husband works for IBM & this was originally his work computer that I inherited. It probably is running a lot of things at startup that he needed for work that I don't need or use. I don't know how to differentiate what they may be, though. This is an IBM Thinkpad T20 with Pentium III 700 Mhz and 256 RAM.

The only things I know I use when I boot up every day ... Excel, AIM (aol instant messenger), Weatherbug, and the network at work asks me to log in automatically. I also have the google toolbar. Two things I don't use are Windows Messenger, and the Canon Multipass printer (although I do use the printer about once/month).

Do I need to do anything with the virus Housecall found ? It only found one thing and it said it was non cleanable ... the virus was called TROJ NARRATOR.A. The file was c:\WINNT\system32\iplpiy.dll. I didn't do anything with it.

What firewall do you personally recommend ? At one time I had a Zone Alarm trial version, but that expired & it no longer runs. I noticed that it is still listed in the hijackthis log, though. I thought that the virus scanner put on my computer by the guys that set up our server at work (SonicWall which uses VirusScan ASaP by McAfee) was a firewall as well, but the more I have looked into it, I think this is just virus protection. I need to get something on here.

Also, I need to check for critical updates for my computer (Windows 2000 Professional). Will I need to post a new hijackthis log after I download the firewall and the critical updates ?

Thanks again for your help. It is so nice of you to take your time to help all of us here !



Logfile of HijackThis v1.99.0
Scan saved at 9:42:30 PM, on 1/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\C4EBReg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\drivers\ldlcserv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\myCIO\Agent\swAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINNT\myCIO\Agent\myagttry.exe
C:\WINNT\System32\FxRedir.EXE
C:\WINNT\System32\qkvkqi.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\myCIO\Agent\UpdDlg.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {134E6708-D4B2-488A-912B-A21815AFE428} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9E438B79-8928-4819-8631-A93DB27C8AED} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4EBReg\isamsmt.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to TO DO LIST.xls.lnk = C:\Documents and Settings\Administrator\My Documents\TO DO LIST.xls
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .bqy: C:\Program Files\Internet Explorer\PLUGINS\npbqs32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .xls: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O15 - Trusted IP range: http://10.10.88.2
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST25 - http://sametime.cba.ufl.edu/sametime/stmee...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinternet.org/controls/LTOCX14N.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://conundrum.vailresorts.com/icm/caller.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-1.ibm.com/tools/print/plugin/ibmgpws.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.unionconcrod.org/imw32o40.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/controls/prntpro2.CAB
O16 - DPF: {CA970A6F-2347-4622-AD7C-2B3CB8B659B1} (JNILoader Control) - http://sametime.cba.ufl.edu/sametime/stmee...STJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB54B847-0E47-4B34-B3ED-BF6428BACDD0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.1.107.dll
O23 - Service: ADSM Client Acceptor - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmcad.exe
O23 - Service: ADSM Remote Client Agent - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmagent.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service - IBM Global Services - C:\Program Files\C4EBReg\isamsmt.exe
O23 - Service: ISSI EZUpdate - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: LocalSystem - Unknown - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINNT\myCIO\VScan\McShield.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: McAfee Agent - Network Associates, Inc. - C:\WINNT\myCIO\Agent\myAgtSvc.exe
O23 - Service: Network Configuration Service - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: SonicWall VPN Client Service - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SonicWALL Agent Service - Network Associates, Inc. - C:\WINNT\myCIO\Agent\swAgent.exe
O23 - Service: TrcBoot - Unknown - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:34 PM

Posted 04 January 2005 - 05:58 PM

Let's make sure you're clean of all the spyware first and then we'll start getting rid of the optionals to make your boot up faster.

The reason those lines show up again in your log is that we didn't disable Teamtimer before making the fix. Make sure you kill the process TeaTimer.exe and then fix these lines with Hijackthis.

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: (no name) - {134E6708-D4B2-488A-912B-A21815AFE428} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O2 - BHO: (no name) - {9E438B79-8928-4819-8631-A93DB27C8AED} - (no file)
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - (no file)


Reboot your computer and post a new hijackthis log. If it's clean we'll start weeding out those optional items.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Angela12345

Angela12345
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 04 January 2005 - 08:58 PM

I have tried it several times. Those 7 lines keep coming back. I exited TeaTimer from the bottom of the screen, verified it was not showing up in the windows task manager processes, ran hijackthis, and deleted the 7 lines. Then I ran hijackthis again to verify that they were indeed gone. When I rebooted and ran hijackthis again, they were back. :thumbsup:

Logfile of HijackThis v1.99.0
Scan saved at 8:45:23 PM, on 1/4/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\C4EBReg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\drivers\ldlcserv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\myCIO\Agent\swAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINNT\System32\FxRedir.EXE
C:\WINNT\myCIO\Agent\myagttry.exe
C:\WINNT\System32\qkvkqi.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {134E6708-D4B2-488A-912B-A21815AFE428} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9E438B79-8928-4819-8631-A93DB27C8AED} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O2 - BHO: (no name) - {F2F1C5FA-7037-5C9D-4A21-2FF074CC69CE} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4EBReg\isamsmt.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to TO DO LIST.xls.lnk = C:\Documents and Settings\Administrator\My Documents\TO DO LIST.xls
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .bqy: C:\Program Files\Internet Explorer\PLUGINS\npbqs32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .xls: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O15 - Trusted IP range: http://10.10.88.2
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST25 - http://sametime.cba.ufl.edu/sametime/stmee...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinternet.org/controls/LTOCX14N.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://conundrum.vailresorts.com/icm/caller.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-1.ibm.com/tools/print/plugin/ibmgpws.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.unionconcrod.org/imw32o40.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/controls/prntpro2.CAB
O16 - DPF: {CA970A6F-2347-4622-AD7C-2B3CB8B659B1} (JNILoader Control) - http://sametime.cba.ufl.edu/sametime/stmee...STJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB54B847-0E47-4B34-B3ED-BF6428BACDD0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.1.107.dll
O23 - Service: ADSM Client Acceptor - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmcad.exe
O23 - Service: ADSM Remote Client Agent - Unknown - C:\Progra~1\IBM\ADSM\baclient\dsmagent.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service - IBM Global Services - C:\Program Files\C4EBReg\isamsmt.exe
O23 - Service: ISSI EZUpdate - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: LocalSystem - Unknown - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINNT\myCIO\VScan\McShield.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: McAfee Agent - Network Associates, Inc. - C:\WINNT\myCIO\Agent\myAgtSvc.exe
O23 - Service: Network Configuration Service - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: SonicWall VPN Client Service - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SonicWALL Agent Service - Network Associates, Inc. - C:\WINNT\myCIO\Agent\swAgent.exe
O23 - Service: TrcBoot - Unknown - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:34 PM

Posted 04 January 2005 - 09:53 PM

Something is preventing Hijackthis from fixing those lines, but it's not a huge deal because they are empty. The files associated with those BHO's have been deleted so it's really just a matter of cleaning up. Let's take care of your optional stuff and then come back to the 02 lines.

I'm going to list everything that I see as optional on your log along with info or links to info so that you can decide what you want to keep and what you want to get rid of. Anything you want to get rid of just fix with Hijackthis like we've been doing all along.

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
http://support.microsoft.com/default.aspx?...kb;en-us;256139

O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
Power management driver for IBM laptops. Provides support for the use of four keys on the thinkpad keyboard with blue key tops - Fn, F3, F4 & F12 - which have specific functions to control the standby and hibernate buttons. Not required if you don't plan to go into standy or hibernate modes

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
Activates "ThinkPad Help" when the "Thinkpad key" is pressed on an IBM ThinkPad laptop. Also activates the audio buttons (volume up/down, mute) on models such as the Thinkpad T30

O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4EBReg\isamsmt.exe"
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"

having to do with internal company intranet data gathering or access to intranet systems


O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"

Cannon Multi-Pass toolbox - a button bar

O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
From TextBridge Pro 9.0 OCR scanner software. Available via Start -> Programs

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE

Part of the OCR software TextBridge Pro 9.0 (and possibly earlier versions). Typically used with imaging devices such as scanners and digital cameras for creating text documents from images.

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
AOL Instant Messenger. If connected to the internet, automatically runs up AIM. Convenience more than anything. Available via Start -> Programs


O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

Weatherbug provides current outdoor temperature in the System Tray, also weather alerts. Available via Start -> Programs

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Windows Messenger utility. If you don\'t use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"

O4 - Startup: Shortcut to TO DO LIST.xls.lnk = C:\Documents and Settings\Administrator\My Documents\TO DO LIST.xls
??

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it.


O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required.

O15 - Trusted IP range: http://10.10.88.2
Remove this line unless you know you want it there for some reason.

O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST25 - http://sametime.cba.ufl.edu/sametime/stmee...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinternet.org/controls/LTOCX14N.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://conundrum.vailresorts.com/icm/caller.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-1.ibm.com/tools/print/plugin/ibmgpws.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.unionconcrod.org/imw32o40.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinternet.org/controls/prntpro2.CAB
O16 - DPF: {CA970A6F-2347-4622-AD7C-2B3CB8B659B1} (JNILoader Control) - http://sametime.cba.ufl.edu/sametime/stmee...STJNILoader.cab

None of these are malicious, but most are not necessary. Any of these that you do still use on a regular basis will automatically be reinstalled when you revisit the site that needs it.

O17 - HKLM\System\CCS\Services\Tcpip\..\{EB54B847-0E47-4B34-B3ED-BF6428BACDD0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com

No longer necessary

O23 - Service: ISAM SMT Service - IBM Global Services - C:\Program Files\C4EBReg\isamsmt.exe
O23 - Service: ISSI EZUpdate - IBM Global Services - c:\sdwork\issimsvc.exe

More information on what services can be disabled and how to do it can be found at this site.
http://www.blackviper.com/WinXP/servicecfg.htm



Once you decide which of these you want to get rid of post a new hijackthis log and let me know how things are running. Then we'll see about those 02 lines again.

Edited by Buckeye_Sam, 04 January 2005 - 09:54 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users