Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Ntos.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 tmerrifield

tmerrifield

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 April 2007 - 10:26 AM

I have an IBM Thinkpad...on bootup it warns that ntos.exe is trying to run so I click Cancel. I appreciate help in what to do next. Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:09:13 AM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [ntos.exe] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 20 April 2007 - 01:36 PM

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware report scan. Then do this - download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 tmerrifield

tmerrifield
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 April 2007 - 02:25 PM

Okay - the AVG scan is done and here are the results. I'm working on the second part now.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:19:57 PM 4/20/2007

+ Scan result:



:mozilla.318:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.66:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.67:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.68:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.70:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ca reception\Cookies\ca_reception@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.268:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.269:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.375:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.376:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.377:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.378:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.379:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.234:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.235:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.10:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.15:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.311:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.257:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.203:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.201:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.202:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.245:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.417:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.256:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.87:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.448:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Counted : Cleaned.
:mozilla.265:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.75:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.223:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.52:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.56:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.86:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.138:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.139:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.184:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.208:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.305:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.30:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.34:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.35:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.36:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.37:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.38:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.399:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.423:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.446:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.450:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.214:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.215:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.216:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.217:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.168:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.169:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\ca reception\Cookies\ca_reception@search.live[2].txt -> TrackingCookie.Live : Cleaned.
:mozilla.120:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.121:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.122:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.439:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.440:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.441:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.16:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.17:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\ca reception\Cookies\ca_reception@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.247:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.50:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.51:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.274:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.275:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.276:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.277:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.278:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.313:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.144:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.145:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.218:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.219:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.220:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.189:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.192:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.193:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.354:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.355:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.152:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.153:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.154:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.155:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.156:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\ca reception\Cookies\ca_reception@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.45:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.46:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.47:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.48:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.124:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.125:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.176:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.362:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.363:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.200:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\ca reception\Cookies\ca_reception@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.83:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.381:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.382:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.179:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.180:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.181:C:\Documents and Settings\Dick Gentili\Application Data\Mozilla\Firefox\Profiles\4a1ski3h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\ca reception\Local Settings\Temporary Internet Files\Content.IE5\3ZRB8SR4\servicetool2[1].exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ntos.exe -> Trojan.Agent : Cleaned with backup (quarantined).
[1008] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[1092] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[1268] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[1360] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[1504] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[1528] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[4] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[724] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[804] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[848] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).
[860] VM_14D00000 -> Trojan.Agent : Cleaned with backup (quarantined).


::Report end

#4 tmerrifield

tmerrifield
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 April 2007 - 03:42 PM

I've completed the SuperAntiSpy scan and a new HT which are below. I did have one question on your directions. When configuring the SuperAntiSpy scanning controls you had me check certain things and then it said "Please leave the others unchecked". There were many things checked by default and I checked the additional items you mentioned, leaving on a couple unchecked. I assumed you didn't mean for me to uncheck ALL first, then only check the ones you mentioned. If I got it wrong, please let me know and I'll redo if needed. Also, I will be leaving shortly for the weekend and will check this post Monday morning and hopefully we can finish then. I really appreciate all your efforts and believe we are on the right track!!

SuperAntispy log:
SUPERAntiSpyware Scan Log
Generated 04/20/2007 at 01:20 PM

Application Version : 3.6.1000

Core Rules Database Version : 3221
Trace Rules Database Version: 1231

Scan type : Complete Scan
Total Scan Time : 00:51:32

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 6113
Registry threats detected : 0
File items scanned : 34276
File threats detected : 23

Adware.Tracking Cookie
C:\Documents and Settings\ca reception\Cookies\ca_reception@100hitz[1].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@ads.monster[1].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@ads.revsci[1].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@ads1.bigrradio[2].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@atwola[1].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@azjmp[1].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@click.cybertvpartner[2].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@imrworldwide[2].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@smileycentral[2].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@tracking.citibank[2].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@www.100hitz[2].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@www.googleadservices[1].txt
C:\Documents and Settings\ca reception\Cookies\ca_reception@www.windowsmedia[2].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@ads.active[2].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@clicksor[1].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@feed.clickfraudprevented[2].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@feed.clickfraudprotected[1].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@hit.namimedia[1].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@icc.intellisrv[2].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@m1.webstats4u[1].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@oddcast[1].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@stats[2].txt
C:\Documents and Settings\Dick Gentili\Cookies\dick gentili@vhost.oddcast[2].txt


HT:
Logfile of HijackThis v1.99.1
Scan saved at 1:34:45 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#5 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 21 April 2007 - 01:54 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.

Edited by Daemon, 21 April 2007 - 01:55 AM.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#6 tmerrifield

tmerrifield
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 23 April 2007 - 09:17 AM

I'm back and here is the latest HT log file after the fix:

Logfile of HijackThis v1.99.1
Scan saved at 7:14:24 AM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\AirCard 580\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 23 April 2007 - 12:25 PM

Looks better - how is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 tmerrifield

tmerrifield
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 23 April 2007 - 12:38 PM

It is running GREAT!!! I'm assuming this is all I need to do. I definitely couldn't have gotten there without your help!!! Thanks so much!

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 23 April 2007 - 12:44 PM

One more thing and then you're all set.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Do you require any further assistance or should I close the topic?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 27 April 2007 - 01:12 AM

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users