Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

This one's ugly. Need help [resolved]

Started by jatro , Mar 02 2005 02:39 PM

  • This topic is locked This topic is locked

#1
jatro
Posted 02 March 2005 - 02:39 PM

jatro

    New Member

  • Member
  • Pip
  • 6 posts
Okay, I'm hoping that I'm doing this right. I've run AdAware and MS Anti-Spyware and there are still a lot of nasty things residing on this box.
Here's the log. Some stuff is obvious but other stuff, not quite so.
Thank you for any help you can give. Just so you know, this is all being admined remotely.
Logfile of HijackThis v1.98.2
Scan saved at 1:00:23 PM, on 03/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\winupdt.exe
C:\Program Files\PaintingRoom\paintingroom.exe
C:\Program Files\vhkcb4a6\vhkcb4a6.exe
C:\WINNT\system32\lyusd\rwtt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\jhrfi\qhabr.exe
C:\WINNT\system32\bndnifqg\dkda.exe
C:\WINNT\system32\qcjatfoc\gdymewm.exe
C:\WINNT\system32\viyobmyx\efckjukd.exe
C:\WINNT\system32\oljm\podvyg.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\80166pos\Application Data\erts.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\n?tdde.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\TWShell.exe
C:\WINNT\system32\secure.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\80166pos\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BBCC129-5A72-4BB1-A9E8-3650DA2A2CF5} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: SDWin32 Class - {407F2EF1-4263-4B07-A434-40E446B67690} - C:\WINNT\system32\lthor.dll
O2 - BHO: SDWin32 Class - {4487BB70-FEA6-42A7-86CE-96B2EB0F9C5A} - C:\WINNT\system32\lynhp.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll
O2 - BHO: (no name) - {7E84B31B-781B-4FC6-A081-ED71594F3A09} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {88141A37-A2D3-8927-A57A-8A5AC37B1392} - C:\WINNT\system32\wecqb.dll
O2 - BHO: (no name) - {94FB7F6A-346A-3121-64AB-0C63BBB07242} - C:\WINNT\system32\mhksubsn\ulnhjpda.dll
O2 - BHO: (no name) - {9BBB46A9-68E8-40BB-97C0-B0272DD90728} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {A6F40EC9-94B5-47DC-8ABA-0465AA5EFCF7} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {AC451F48-6462-4E18-8B53-2EEC8FC23BD6} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {AFC982B4-6BFD-440B-A20C-E0E9AB6A21DC} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {D89BA2CF-5354-43B0-8CA8-7C43E802F17F} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [nuojkw] c:\winnt\system32\nuojkw.exe
O4 - HKLM\..\Run: [PaintingRoom evidence monitor] "C:\Program Files\PaintingRoom\paintingroom.exe" -trayevidence
O4 - HKLM\..\Run: [vhkcb4a6] C:\Program Files\vhkcb4a6\vhkcb4a6.exe
O4 - HKLM\..\Run: [nounfourfunkpile] C:\Documents and Settings\All Users\Application Data\software bold noun four\date64.exe
O4 - HKLM\..\Run: [wsyfss] C:\WINNT\system32\mfplnij\wsyfss.exe
O4 - HKLM\..\Run: [lioxscj] C:\WINNT\system32\jxbxkb\lioxscj.exe
O4 - HKLM\..\Run: [agnr] C:\WINNT\system32\yeeq\agnr.exe
O4 - HKLM\..\Run: [olnvbi] C:\WINNT\system32\xeipgas\olnvbi.exe
O4 - HKLM\..\Run: [rwtt] C:\WINNT\system32\lyusd\rwtt.exe
O4 - HKLM\..\Run: [dkda] C:\WINNT\system32\bndnifqg\dkda.exe
O4 - HKLM\..\Run: [qhabr] C:\WINNT\system32\jhrfi\qhabr.exe
O4 - HKLM\..\Run: [gdymewm] C:\WINNT\system32\qcjatfoc\gdymewm.exe
O4 - HKLM\..\Run: [efckjukd] C:\WINNT\system32\viyobmyx\efckjukd.exe
O4 - HKLM\..\Run: [podvyg] C:\WINNT\system32\oljm\podvyg.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\80166pos\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [version] C:\WINNT\system32\dealhelper.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [Scba] C:\Documents and Settings\80166pos\Application Data\erts.exe
O4 - HKCU\..\Run: [Kncan] C:\WINNT\system32\n?tdde.exe
O4 - Global Startup: logon.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Shortcut to TWShell.lnk = C:\WINNT\TWShell.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.micro...ce/outlctlx.CAB
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupd...ll/aun_0008.exe
:tazz:
  • 0

Advertisements

#2
Joey
Posted 02 March 2005 - 03:47 PM

Joey

    Member

  • Member
  • PipPip
  • 94 posts
I'm working on your log, as soon as another staff member reviews it I'll post a reply :tazz: . Thank you for your patience,
  • 0

#3
Joey
Posted 02 March 2005 - 04:18 PM

Joey

    Member

  • Member
  • PipPip
  • 94 posts
Hello, jatro, welcome to geekstogo forums! :tazz:

Please update, configure, and re-run Ad-aware and Spybot S&D as below:
Make sure you're using the latest version of Ad-aware(Ad-aware SE 1.05) If you're using an older version, download Ad-aware SE Personal 1.05 and install it.

Before scanning with Ad-aware SE Free:
Run a FULL adaware scan using the following configuration below
  • Update
    • Select Check for updates.
    • Then Connect and download SE1R28 16.02.2005 .
  • Click Start
  • Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
  • It will list malware files and registry keys. Click Next.
  • Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
  • It will ask for verification of checked items. Choose OK.
  • Close Ad-Aware, Shut down and reboot your system.
Scanning in Spybot Search and Destroy:

1. Download and Install Spybot S&D, accepting the Default Settings
(Please ensure you have version 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/
Here is a nice Tutorial http://www.safer-net...p?page=tutorial

2. Go to Start > Programs >Spybot – Search & Destroy and choose Spybot S&D

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ and download and install the Updates.

5. Next click the button ‘Check for Problems’

6. When Spybot is complete, it will be showing 'RED' (RED) entries ‘BLACK’ entries and ‘GREEN’ (GREEN) entries in the window

7. Make sure there is a check mark beside the RED (RED) entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED (RED) entries.

9. REBOOT
Also, run at least 2 of these online virus scans:

Housecall<<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan<<<Accept default settings
RAV online scan<<<Add a check by 'Autoclean', leave everything else as is.
eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful
Bitdefender ScanOnline<<<Place a check by everything under 'Scan Options'.
Command on Demand

Also run an online trojan scan here: http://www.trojanscan.com/
Reboot when finished.

Download the latest version of HijackThis here:
http://www.unitethec.../HijackThis.exe
Run the new HijackThis and post the new log.
  • 0

#4
Joey
Posted 02 March 2005 - 04:22 PM

Joey

    Member

  • Member
  • PipPip
  • 94 posts
Actually, use this download link for the new HijackThis:
http://tomcoyote.org.../HijackThis.exe
  • 0

#5
jatro
Posted 02 March 2005 - 04:52 PM

jatro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey, thanks! You have no idea how much appreciated this is! Okay, I followed the instructions given and here's the new HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 4:50:34 PM, on 03/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\winupdt.exe
C:\Program Files\PaintingRoom\paintingroom.exe
C:\Program Files\vhkcb4a6\vhkcb4a6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\lyusd\rwtt.exe
C:\WINNT\system32\jhrfi\qhabr.exe
C:\WINNT\system32\bndnifqg\dkda.exe
C:\WINNT\system32\qcjatfoc\gdymewm.exe
C:\WINNT\system32\viyobmyx\efckjukd.exe
C:\WINNT\system32\oljm\podvyg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\secure.exe
C:\Documents and Settings\80166pos\Application Data\erts.exe
C:\WINNT\system32\n?tdde.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\TWShell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\80166pos\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BBCC129-5A72-4BB1-A9E8-3650DA2A2CF5} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: SDWin32 Class - {407F2EF1-4263-4B07-A434-40E446B67690} - C:\WINNT\system32\lthor.dll
O2 - BHO: SDWin32 Class - {4487BB70-FEA6-42A7-86CE-96B2EB0F9C5A} - C:\WINNT\system32\lynhp.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll
O2 - BHO: (no name) - {7E84B31B-781B-4FC6-A081-ED71594F3A09} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {88141A37-A2D3-8927-A57A-8A5AC37B1392} - C:\WINNT\system32\wecqb.dll
O2 - BHO: (no name) - {94FB7F6A-346A-3121-64AB-0C63BBB07242} - C:\WINNT\system32\mhksubsn\ulnhjpda.dll
O2 - BHO: (no name) - {9BBB46A9-68E8-40BB-97C0-B0272DD90728} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {A6F40EC9-94B5-47DC-8ABA-0465AA5EFCF7} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {AC451F48-6462-4E18-8B53-2EEC8FC23BD6} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {AFC982B4-6BFD-440B-A20C-E0E9AB6A21DC} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {D89BA2CF-5354-43B0-8CA8-7C43E802F17F} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O2 - BHO: (no name) - {FA1923FC-6AB0-4073-86EA-B97F39C22525} - C:\Program Files\vhkcb4a6\vhkcb4a6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [nuojkw] c:\winnt\system32\nuojkw.exe
O4 - HKLM\..\Run: [PaintingRoom evidence monitor] "C:\Program Files\PaintingRoom\paintingroom.exe" -trayevidence
O4 - HKLM\..\Run: [vhkcb4a6] C:\Program Files\vhkcb4a6\vhkcb4a6.exe
O4 - HKLM\..\Run: [nounfourfunkpile] C:\Documents and Settings\All Users\Application Data\software bold noun four\date64.exe
O4 - HKLM\..\Run: [wsyfss] C:\WINNT\system32\mfplnij\wsyfss.exe
O4 - HKLM\..\Run: [lioxscj] C:\WINNT\system32\jxbxkb\lioxscj.exe
O4 - HKLM\..\Run: [agnr] C:\WINNT\system32\yeeq\agnr.exe
O4 - HKLM\..\Run: [olnvbi] C:\WINNT\system32\xeipgas\olnvbi.exe
O4 - HKLM\..\Run: [rwtt] C:\WINNT\system32\lyusd\rwtt.exe
O4 - HKLM\..\Run: [dkda] C:\WINNT\system32\bndnifqg\dkda.exe
O4 - HKLM\..\Run: [qhabr] C:\WINNT\system32\jhrfi\qhabr.exe
O4 - HKLM\..\Run: [gdymewm] C:\WINNT\system32\qcjatfoc\gdymewm.exe
O4 - HKLM\..\Run: [efckjukd] C:\WINNT\system32\viyobmyx\efckjukd.exe
O4 - HKLM\..\Run: [podvyg] C:\WINNT\system32\oljm\podvyg.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\80166pos\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [version] C:\WINNT\system32\dealhelper.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [Scba] C:\Documents and Settings\80166pos\Application Data\erts.exe
O4 - HKCU\..\Run: [Kncan] C:\WINNT\system32\n?tdde.exe
O4 - Global Startup: logon.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Shortcut to TWShell.lnk = C:\WINNT\TWShell.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.micro...ce/outlctlx.CAB
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://sptsrv19/BISP...rces/msddsc.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupd...ll/aun_0008.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thecreek.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thecreek.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thecreek.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: MultiCast Listener (MCListener) - Datavantage - C:\PROGRA~1\TRADEW~1\MULTIC~1.EXE
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

:tazz:
  • 0

#6
jatro
Posted 03 March 2005 - 09:03 AM

jatro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
bump
  • 0

#7
Joey
Posted 04 March 2005 - 03:34 PM

Joey

    Member

  • Member
  • PipPip
  • 94 posts
Download the free trial of Trojan Hunter here. Update it, and let it run, fixing anything it finds.

Please download, install, update and scan your system with the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.

  • 0

#8
jatro
Posted 09 March 2005 - 07:32 AM

jatro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay, Joey, here we go. Sorry it took so long to get this done. We got it cleaned enough to be usable for our users, and were dealing with other issues.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:24:27 AM, 03/09/2005
+ Report-Checksum: 9D194E2B

+ Date of database: 03/09/2005
+ Version of scan engine: v3.0

+ Duration: 18 min
+ Scanned Files: 31780
+ Speed: 28.26 Files/Second
+ Infected files: 107
+ Removed files: 107
+ Files put in quarantine: 107
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\80166pos\Application Data\erts.exe -> Spyware.PurityScan.v -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091555-234.dll -> Spyware.Adstart.c -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091555-390.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091555-646.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091555-805.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091555-885.dll -> Spyware.Adstart.c -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091555-972.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-300.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-444.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-524.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-545.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-579.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-586.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-608.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-671.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-683.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-769.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-781.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-866.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\80166pos\Desktop\backups\backup-20050304-091556-985.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\erts.exe -> Spyware.PurityScan.v -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ping[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\diagus@link[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\diagus@S120498[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\diagus\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elibar\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elibar\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\elipfa@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\elipfa@dcslt9a2911e5h27gz9cy9xcg_5f1j[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\elipfa@dcsuuftkberp17368wkcsn8pc_5z5u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\elipfa@dcsx8czs1erp17368wkcsn8pc_9z2q[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\elipfa@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\elipfa\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jamkee\Cookies\jamkee@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jamkee\Cookies\jamkee@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jamkee\Cookies\jamkee@S005-01-9-28-233860-106434[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\NELBRO\Cookies\nelbro@tryaolfree[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AC2758D-6027-48E4-9449-49DC54\42987E0F-65CF-401A-ABDE-894574 -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AC2758D-6027-48E4-9449-49DC54\B7639B93-AF13-45C3-A3CD-E9CFB2 -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F2CB59EF-25A2-4D58-9569-76818D\2F279D70-DAAC-441E-A0D9-86C29D -> Spyware.BiSpy.t -> Cleaned with backup
C:\Program Files\vhkcb4a6\vhkcb4a6.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\vhkcb4a6\vhkcb4a6.exe -> Backdoor.Ruledor.f -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc10.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc104.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc108.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc110.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc113.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc121.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc124.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc13.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc134.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc135.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc136.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc138.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc146.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc150.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc157.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc159.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc161.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc163.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc165.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc168.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc169.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc171.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc18.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc19.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc27.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc34.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc35.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc36.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc37.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc4.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc42.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc45.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc50.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc51.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc6.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc61.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc63.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc64.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc65.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc66.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc70.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc73.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc74.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc75.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc8.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc81.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc83.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc89.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc9.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2041269577-444530729-9522986-33502\Dc99.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\farmmext.bad -> Spyware.ConsCorr -> Cleaned with backup
C:\WINNT\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\WINNT\system\wuhfnpjpp.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINNT\system32\dun.exe -> Spyware.DealHelper.x -> Cleaned with backup


::Report End
-----------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 7:28:05 AM, on 03/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\TWShell.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Spyware\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - Global Startup: logon.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Shortcut to TWShell.lnk = C:\WINNT\TWShell.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.micro...ce/outlctlx.CAB
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://sptsrv19/BISP...rces/msddsc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thecreek.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thecreek.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thecreek.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MultiCast Listener (MCListener) - Datavantage - C:\PROGRA~1\TRADEW~1\MULTIC~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


End of log
-----------------------------------------------------------------------------------------------

I sure do appreciate your help! Thank you for your time on this. :tazz:
  • 0

#9
Joey
Posted 09 March 2005 - 10:00 AM

Joey

    Member

  • Member
  • PipPip
  • 94 posts
Your log is clean. Just one last leftover line:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Close all open browsers and windows, even this one, and hit 'Fix Selected'.

Reboot and post a new log, so I can make sure the malware isn't hiding out.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP