Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdStatus kept on the register


  • Please log in to reply
15 replies to this topic

#1 cairel

cairel

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 26 January 2005 - 03:28 AM

I get infected by AdStatus though I use Adwatch, Spybot and McAfee.
Adaware and spybot were not able to remove it; the process were regenerated as soon as you kill them. In safe mode I delete the AdStatus folder, the content of tmp folder, the link on the startup and the key from the register but at reboting on normal mode the key is still in the register; I understand that means that there is some other process or dll that I can not identify. I hope you can. Thank you. Here is the log I have now.

Edited: I forgot to mention that there is not a folder call C:\Program Files\AdStatus Service\ or similar.

Logfile of HijackThis v1.99.0
Scan saved at 9:11:59, on 27/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\MAINT\sid\DISTH\DISTH.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\GEARSec.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\TpScrLk.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\LOGI_MWX.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
C:\Program Files\Common Files\XCPCMenu.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\TuneUp Utilities\MemOptimizer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\UMTS\Escritorio MoviStar\EMS.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\PROGRA~1\IBM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avant Browser\avant.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.pepe.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by pepe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.11.251:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.pepe.com;138.*.*.*;138.221.224.*;138.221.225.*;127.*.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [PDAsync - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [PDAsync - PocketPC] C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
O4 - HKLM\..\Run: [PDAsync] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Laplink PDASync 3.0 - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [Laplink PDASync 3.0] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [lcfep] "C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\IBM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Escritorio MoviStar.lnk = C:\Program Files\UMTS\Escritorio MoviStar\EMS.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate Site with Google - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\gtranslate.tui
O8 - Extra context menu item: Zoom &In  - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.tui
O8 - Extra context menu item: Zoom &Out  - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.tui
O9 - Extra button: Crear un favorito móvil - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://inside.pepe.com
O15 - Trusted Zone: www.c.es
O15 - Trusted Zone: www.p.es
O15 - Trusted Zone: www.r.com
O15 - Trusted Zone: www.u.com
O16 - DPF: JavaConnect -
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: Sametime BroadCast Client ST30IF3 - file://C:\temp\WrapGLF18\STBroadCastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\temp\WrapGLF18\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30IF3 - file://C:\temp\WrapGLF18\STMeetingRoomClient.cab
O16 - DPF: {24CEC0BF-C8BC-4bcb-B804-226326B319EF} (JNILoader Control) - file://C:\temp\WrapGLF18\STJNILoader.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Control de AcDcToday) -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://172.1.1.3/activex/AxisCamControl.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\temp\WrapGLF18\InstallSTConnAgent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/es/check/qdiagh.cab?323
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -
O16 - DPF: {FBE37597-190E-4A06-978F-E39037999049} (Genesys Component Installer) - http://content01.na.iconf.net/gcc_installer/gmcinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}: NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}: NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}: NameServer = 10.34.24.11,10.34.28.10
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: BBDistHandler - Unknown - %SystemDrive%\MAINT\sid\DISTH\DISTH.EXE (file missing)
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: Servidor de Mensajería MoviStar - Unknown - C:\Program Files\Common Files\Telefonica\Servidor de Mensajeria MoviStar\ServidorCorreoMoviStar.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

Edited by cairel, 27 January 2005 - 03:19 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 26 January 2005 - 09:04 PM

Uninstall AdStatus Service from add/remove programs.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: www.c.es
O15 - Trusted Zone: www.p.es
O15 - Trusted Zone: www.r.com
O15 - Trusted Zone: www.u.com
O16 - DPF: JavaConnect - file://C:\temp\WrapGLF18\JavaConnect.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Control AcPreview) -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} (Genesys Webtour Control) -

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\


Reboot your computer to go back to normal mode and post a new log.



Do you know what this is:

O23 - Service: BBDistHandler - Unknown - %SystemDrive%\MAINT\sid\DISTH\DISTH.EXE (file missing)

#3 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 27 January 2005 - 03:12 AM

Tank you for your help Grinler. I did what you suggested. At rebooting in normal mode I received a warning from adwatch regarding adstatus. I blocked the change. I came back to safe mode, I fix again the input on section 04 and reboot...with the same result. :thumbsup:
You have the new log here; I kept trusted zone unpits since I new them. Regarding O23 - Service: BBDistHandler - Unknown - %SystemDrive%\MAINT\sid\DISTH\DISTH.EXE (file missing)
I have not a clue. I use Acrobat Distiller but I do not know if it is related.

Logfile of HijackThis v1.99.0
Scan saved at 9:11:59, on 27/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\MAINT\sid\DISTH\DISTH.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\GEARSec.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\TpScrLk.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\LOGI_MWX.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
C:\Program Files\Common Files\XCPCMenu.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\TuneUp Utilities\MemOptimizer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\UMTS\Escritorio MoviStar\EMS.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\PROGRA~1\IBM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avant Browser\avant.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.pepe.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by pepe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.11.251:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.pepe.com;138.*.*.*;138.221.224.*;138.221.225.*;127.*.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [PDAsync - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [PDAsync - PocketPC] C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
O4 - HKLM\..\Run: [PDAsync] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Laplink PDASync 3.0 - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [Laplink PDASync 3.0] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [lcfep] "C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\IBM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Escritorio MoviStar.lnk = C:\Program Files\UMTS\Escritorio MoviStar\EMS.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate Site with Google - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\gtranslate.tui
O8 - Extra context menu item: Zoom &In  - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.tui
O8 - Extra context menu item: Zoom &Out  - C:\Documents and Settings\esu01379\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.tui
O9 - Extra button: Crear un favorito móvil - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://inside.pepe.com
O15 - Trusted Zone: www.c.es
O15 - Trusted Zone: www.p.es
O15 - Trusted Zone: www.r.com
O15 - Trusted Zone: www.u.com
O16 - DPF: JavaConnect -
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: Sametime BroadCast Client ST30IF3 - file://C:\temp\WrapGLF18\STBroadCastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\temp\WrapGLF18\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30IF3 - file://C:\temp\WrapGLF18\STMeetingRoomClient.cab
O16 - DPF: {24CEC0BF-C8BC-4bcb-B804-226326B319EF} (JNILoader Control) - file://C:\temp\WrapGLF18\STJNILoader.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Control de AcDcToday) -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://172.1.1.3/activex/AxisCamControl.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\temp\WrapGLF18\InstallSTConnAgent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/es/check/qdiagh.cab?323
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -
O16 - DPF: {FBE37597-190E-4A06-978F-E39037999049} (Genesys Component Installer) - http://content01.na.iconf.net/gcc_installer/gmcinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}: NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}: NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}: NameServer = 10.34.24.11,10.34.28.10
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: BBDistHandler - Unknown - %SystemDrive%\MAINT\sid\DISTH\DISTH.EXE (file missing)
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: Servidor de Mensajería MoviStar - Unknown - C:\Program Files\Common Files\Telefonica\Servidor de Mensajeria MoviStar\ServidorCorreoMoviStar.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 27 January 2005 - 01:24 PM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files or directories into that directory:

C:\Program Files\AdStatus Service\

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php fill in the required fields, and browse to the file. Then click on the Send File button.


In the Add/Remove Program control panel uninstall AdStatus Service

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O16 - DPF: JavaConnect -
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Control de AcDcToday) -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -
O23 - Service: BBDistHandler - Unknown - %SystemDrive%\MAINT\sid\DISTH\DISTH.EXE (file missing)


Then delete these files or directories (Do not be concerned if they do not exist)

O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O16 - DPF: JavaConnect -
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Control de AcDcToday) -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -

Reboot your computer to go back to normal mode and post a new log.

#5 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 27 January 2005 - 02:53 PM

Grinler.
1) I haven't the folder "C:\Program Files\AdStatus Service\". I manage to delete before posting the first post.
2) Adstatus is not on the uninstall list of programs.
3) I would like not to missunderstand your instructions:

a) Safe mode and then
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:
O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O16 - DPF: JavaConnect -
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Control de AcDcToday) -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -
O23 - Service: BBDistHandler - Unknown - %SystemDrive%\MAINT\sid\DISTH\DISTH.EXE (file missing)

:thumbsup: Then delete these files or directories (Do not be concerned if they do not exist)
I guess there is an error here, since it is a copy of what is written above.

c) Reboot your computer to go back to normal mode and post a new log.

Please clarify point 3b. Thank you

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 27 January 2005 - 03:07 PM

Just delete this if it exists in safe mode:
C:\Program Files\AdStatus Service\

If it doesnt, which it may not, move on with the next steps

#7 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 January 2005 - 06:25 PM

Grinler, it seems all solved now! I don't get any adstatus entry.
Thank you very much.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 28 January 2005 - 06:39 PM

Lets see a last log

#9 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 01 February 2005 - 02:29 AM

Here you are:

Logfile of HijackThis v1.99.0
Scan saved at 8:28:34, on 01/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\GEARSec.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\TpScrLk.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\LOGI_MWX.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
C:\Program Files\Common Files\XCPCMenu.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TuneUp Utilities\MemOptimizer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\UMTS\Escritorio MoviStar\EMS.exe
C:\PROGRA~1\IBM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\notes\NLNOTES.EXE
C:\Program Files\notes\naldaemn.EXE
C:\Program Files\notes\nwrdaemn.EXE
C:\Program Files\notes\nupdate.EXE
C:\Program Files\notes\namgr.EXE
C:\Program Files\notes\nhldaemn.EXE
C:\Program Files\Avant Browser\avant.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://inside.pepe.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by pepe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer

= 10.34.11.251:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride =

*.pepe.com;138.*.*.*;138.221.224.*;138.221.225.*;127.*.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program

Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common

Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [PDAsync - LtNts4] C:\Program Files\Common

Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [PDAsync - PocketPC] C:\Program Files\Common

Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
O4 - HKLM\..\Run: [PDAsync] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Laplink PDASync 3.0 - LtNts4] C:\Program Files\Common

Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [Laplink PDASync 3.0] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite

6\Launch Application 2.exe -onlytray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp

Utilities\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\IBM\Bluetooth

Software\BTTray.exe
O4 - Global Startup: Escritorio MoviStar.lnk = C:\Program Files\UMTS\Escritorio

MoviStar\EMS.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant

Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program

Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant

Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program

Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In &New Window - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search with &Google - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\gsearch.tui
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth

Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate Site with Google - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\gtranslate.tui
O8 - Extra context menu item: Zoom &In  - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\tuzoomin.tui
O8 - Extra context menu item: Zoom &Out  - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\tuzoomout.tui
O9 - Extra button: Crear un favorito móvil -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth

Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://inside.pepe.com
O15 - Trusted Zone: www.c.es
O15 - Trusted Zone: www.p.es
O15 - Trusted Zone: www.r.com
O15 - Trusted Zone: www.u.com
O16 - DPF: JavaConnect -
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: Sametime BroadCast Client ST30IF3 -

file://C:\temp\WrapGLF18\STBroadCastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 -

file://C:\temp\WrapGLF18\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30IF3 -

file://C:\temp\WrapGLF18\STMeetingRoomClient.cab
O16 - DPF: {00A7BD45-3D5C-11D4-BDA7-00C0F02C56AB} (DMSrvPushX Control) -

http://80.38.126.72/webpages/DMWebX.ocx
O16 - DPF: {24CEC0BF-C8BC-4bcb-B804-226326B319EF} (JNILoader Control) -

file://C:\temp\WrapGLF18\STJNILoader.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)

- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -

http://172.1.1.3/activex/AxisCamControl.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) -

file://C:\temp\WrapGLF18\InstallSTConnAgent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/hpdj/es/check/qdiagh.cab?323
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -
O16 - DPF: {FBE37597-190E-4A06-978F-E39037999049} (Genesys Component Installer) -

http://content01.na.iconf.net/gcc_installer/gmcinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}:

NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}:

NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}:

NameServer = 10.34.24.11,10.34.28.10
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program

Files\pcAnywhere\awhost32.exe
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program

Files\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software

Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program

Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - c:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown -

%ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: Spectrum24 Event Monitor - Intel Corporation -

C:\WINNT\system32\S24EvMon.exe
O23 - Service: Servidor de Mensajería MoviStar - Unknown - C:\Program Files\Common Files\Telefonica\Servidor de Mensajeria MoviStar\ServidorCorreoMoviStar.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 01 February 2005 - 11:39 AM

Reboot into safe mode and fix these entries:

O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O16 - DPF: JavaConnect -
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -

Reboot back to normal mode. If teatimer/spybot asks if you want to allow changes to be made allow it to do so. Post a last log

#11 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 02 February 2005 - 09:03 AM

I am afraid those entries come back again after reset to normal mode :thumbsup:

Logfile of HijackThis v1.99.0
Scan saved at 15:01:26, on 02/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\GEARSec.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\TpScrLk.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\LOGI_MWX.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
C:\Program Files\Common Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
C:\Program Files\Common Files\XCPCMenu.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TuneUp Utilities\MemOptimizer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\UMTS\Escritorio MoviStar\EMS.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\PROGRA~1\IBM\BLUETO~1\BTSTAC~1.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://inside.pepe.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by pepe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer

= 10.34.11.251:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride =

*.pepe.com;138.*.*.*;138.221.224.*;138.221.225.*;127.*.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program

Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common

Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [PDAsync - LtNts4] C:\Program Files\Common

Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [PDAsync - PocketPC] C:\Program Files\Common

Files\XCPCSync\Translators\PocketPC\AutoDetect.exe
O4 - HKLM\..\Run: [PDAsync] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Laplink PDASync 3.0 - LtNts4] C:\Program Files\Common

Files\XCPCSync\Translators\LtNts4\NtsAgnt.exe
O4 - HKLM\..\Run: [Laplink PDASync 3.0] C:\Program Files\Common Files\XCPCMenu.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite

6\Launch Application 2.exe -onlytray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp

Utilities\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\IBM\Bluetooth

Software\BTTray.exe
O4 - Global Startup: Escritorio MoviStar.lnk = C:\Program Files\UMTS\Escritorio

MoviStar\EMS.exe
O8 - Extra context menu item: Open In &New Window - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search with &Google - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\gsearch.tui
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth

Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate Site with Google - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\gtranslate.tui
O8 - Extra context menu item: Zoom &In - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\tuzoomin.tui
O8 - Extra context menu item: Zoom &Out - C:\Documents and

Settings\esu01379\Application Data\TuneUp Software\TuneUp

Utilities\Web\tuzoomout.tui
O9 - Extra button: Crear un favorito móvil -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth

Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://inside.pepe.com
O15 - Trusted Zone: www.c.es
O15 - Trusted Zone: www.p.es
O15 - Trusted Zone: www.r.com
O15 - Trusted Zone: www.u.com
O16 - DPF: JavaConnect -
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: Sametime BroadCast Client ST30IF3 -

file://C:\temp\WrapGLF18\STBroadCastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 -

file://C:\temp\WrapGLF18\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30IF3 -

file://C:\temp\WrapGLF18\STMeetingRoomClient.cab
O16 - DPF: {00A7BD45-3D5C-11D4-BDA7-00C0F02C56AB} (DMSrvPushX Control) -

http://80.38.126.72/webpages/DMWebX.ocx
O16 - DPF: {24CEC0BF-C8BC-4bcb-B804-226326B319EF} (JNILoader Control) -

file://C:\temp\WrapGLF18\STJNILoader.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)

- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -

http://172.1.1.3/activex/AxisCamControl.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) -

file://C:\temp\WrapGLF18\InstallSTConnAgent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/hpdj/es/check/qdiagh.cab?323
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} -
O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} -
O16 - DPF: {FBE37597-190E-4A06-978F-E39037999049} (Genesys Component Installer) -

http://content01.na.iconf.net/gcc_installer/gmcinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}:

NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}:

NameServer = 10.34.24.11,10.34.28.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.pepe.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01971A2D-A378-4AA9-AD6D-D41BAE2FADCB}:

NameServer = 10.34.24.11,10.34.28.10
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program

Files\pcAnywhere\awhost32.exe
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program

Files\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software

Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program

Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - c:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown -

%ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: Spectrum24 Event Monitor - Intel Corporation -

C:\WINNT\system32\S24EvMon.exe
O23 - Service: Servidor de Mensajería MoviStar - Unknown - C:\Program Files\Common

Files\Telefonica\Servidor de Mensajeria MoviStar\ServidorCorreoMoviStar.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program

Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 02 February 2005 - 11:57 PM

Do this. Click on start then run and type msconfig and press enter. Click on the startup tab and uncheck the entry that corresponds with teatimer. Press ok until it asks if you want to reboot, and then it do so. Then please attempt to remove those entries again and reboot and post a new log

#13 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 07 February 2005 - 06:10 AM

Grinler, doing what you said allow to take out those entries. At rebooting in normal mode they are not there anymore.
If I include again the TeaTimer in the start section and reboot they are there again so I understand they are part of TeaTimer.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:41 AM

Posted 07 February 2005 - 10:51 AM

When when you fix them with teatimer off. Then reboot with teatimer on, does a pop up come up from teatimer asking if you would like some changes to be made? If it does, allow them to be made and the entries should be gone

#15 cairel

cairel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 08 February 2005 - 08:39 AM

No, there is not popup at rebooting with teatimer on.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users