Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

idd dialer on w2003


  • Please log in to reply

#1
dfarolfi

dfarolfi

    New Member

  • Member
  • Pip
  • 4 posts
Hello,
Ijust catched IDD DIALER.I found an old post whichexplained how to get rid of, using Hijack,but, sadly, this seems not to be applyable to my case, because refers to .dlls I have not.
In fact, that topic referred to

O20 - Winlogon Notify: winrge32 - C:\WINDOWS\SYSTEM32\winrge32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
====================================
But I haven't winrge32, reason is, I suppose, I'm not on XP, but on W2003 (not a choice, but for professional reasons).

My Hijack log is :

====================================

Logfile of HijackThis v1.99.1
Scan saved at 8.44.55, on 14/07/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\Programmi\OfficeScan NT\tmlisten.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Programmi\File comuni\System\MSSearch\Bin\mssearch.exe
C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\TEMP\NI3E60.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\Programmi\OfficeScan NT\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\TEMP\iddC2.tmp.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\dm_agent_exec.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\OfficeScan NT\pccntupd.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server2003:8090/CLASSLIFE/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Premium Clock] C:\Programmi\Premium Clock\Premium.exe /autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: WinMySQLadmin.lnk = C:\FoxServ\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://dcmt-00:8090/...ContentXfer.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://officescan/o...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://officescan/o...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://officescan/o...stall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://officescan/o...html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://officescan/o.../RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140250383706
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: winqlr32 - C:\WINDOWS\SYSTEM32\winqlr32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Apache Tomcat 4.1-Calendar - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Documentum DocBroker Service Docbroker (DmDocbroker) - Unknown owner - C:\Documentum\product\5.2\bin\dmdocbroker.exe
O23 - Service: Documentum Java Method Server (DmJavaMethodServer) - Alexandria Software Consulting - C:\Program Files\Documentum\tomcat\4.1.27\bin\tomcat.exe
O23 - Service: Documentum Docbase Service CLASSLIFE (DmServerCLASSLIFE) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: Documentum Docbase Service GESDOCNEWS (DmServerGESDOCNEWS) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: EncoderServer - Unknown owner - C:\encoderServer\wrapper_win32_3.1.2\bin\wrapper.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerLISTENER2 - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDCMTDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

====================================

Thanks in advance to eveyone
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi dfarolfi

Welcome to GTG! :whistling:

* Download the trial version of Ewido Security Suite here.
  • Click on the "Download Now" button and save the setup file to your desktop.
  • Doubleclick on the ewido-setup file to begin the installation.
  • When the installation is complete, open ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • When the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • If you cannot download the updates, update manuallly according to the directions here.
  • DO NOT run a scan yet. You will do that later in safe mode.
* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run ewido:
  • Launch ewido by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient it may take a while for the scan to complete.
  • When the scan is complete, you must select an action.
  • Select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen
  • Save the report as a text file and save it to your desktop.
  • Close ewido.
* Restart back into Windows normally now.


* Come back here and post a new HijackThis log, as well as the log from the Ewido scan.

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.
  • 0

#3
dfarolfi

dfarolfi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello Flrman1,

I followed your instructions, but without success.I mean, ewido catched xxxtmp.exe (idd reated) items and cleaned them, but they keeping to be created, so I think that the "real" origin of the malware was not discovered and cleaned up.

Anyway, here the logs you requested:

=======================
(1) EWIDO report after Complete Scan (in safe-mode)


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12.51.32 17/07/2006

+ Scan result:



C:\WINDOWS\Temp\idd102.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd10B.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd113.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd11A.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd177.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd9E.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC2.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddCC.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddCE.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD3.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD9.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddE6.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddEB.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddEC.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddED.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddFB.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\8PQ30P6N\srvuxn[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\9CDP3PXR\srvkzj[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\GPSJSJC7\srvais[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\KJANWTGR\srvmko[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\S353UENP\srvhlp[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\ZBDHT9LI\srvekg[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win19.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win95.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winCB.tmp -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winCC.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winDF.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winF3.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\isinst.exe -> Downloader.IstBar.ow : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\C1U7G5YB\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\GPSJSJC7\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\MQULTT4Y\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\S353UENP\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Downloads\XPCrack\WTK_Dp\WTK_Dp\UltimateWindows\RockXP v3\RockXP30.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
C:\Downloads\XPCrack\WTK_Dp\WTK_Dp\UltimateWindows\RockXP v3\RockXP30.exe/keyms.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
C:\Downloads\XPCrack\WTK_Dp\WTK_Dp\UltimateWindows\RockXP v3\RockXP30.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Dbbsrv : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end


========================

(2) HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 12.58.02, on 17/07/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\Programmi\OfficeScan NT\tmlisten.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\File comuni\System\MSSearch\Bin\mssearch.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\Programmi\OfficeScan NT\pccntmon.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\TEMP\VICEB6.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis\HijackThis.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server2003:8090/CLASSLIFE/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Premium Clock] C:\Programmi\Premium Clock\Premium.exe /autorun
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: WinMySQLadmin.lnk = C:\FoxServ\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://dcmt-00:8090/...ContentXfer.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://officescan/o...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://officescan/o...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://officescan/o...stall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://officescan/o...html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://officescan/o.../RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140250383706
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: winqlr32 - C:\WINDOWS\SYSTEM32\winqlr32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Apache Tomcat 4.1-Calendar - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Documentum DocBroker Service Docbroker (DmDocbroker) - Unknown owner - C:\Documentum\product\5.2\bin\dmdocbroker.exe
O23 - Service: Documentum Java Method Server (DmJavaMethodServer) - Alexandria Software Consulting - C:\Program Files\Documentum\tomcat\4.1.27\bin\tomcat.exe
O23 - Service: Documentum Docbase Service CLASSLIFE (DmServerCLASSLIFE) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: Documentum Docbase Service GESDOCNEWS (DmServerGESDOCNEWS) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: EncoderServer - Unknown owner - C:\encoderServer\wrapper_win32_3.1.2\bin\wrapper.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerLISTENER2 - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDCMTDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe


===================

(3) HijackThis 'Save List'

Ad-Aware SE Personal
Adobe Download Manager 2.0 (solo rimozione)
Adobe Reader 7.0.7
Agere Systems AC'97 Modem
Aggiornamento della protezione per Windows Server 2003 (KB916281)
Apache Tomcat 4.1 (remove only)
Broadcom 440x 10/100 Integrated Controller
Codec Pack - All In 1 6.0.2.7
Connect Daily Web Calendar
DameWare Mini Remote Control
Debugging Tools for Windows
DJ Java Decompiler v.3.7.7.81
Documentum Administrator
Documentum Application Builder 5.2.5
Documentum Application Installer 5.2.5
Documentum Content Server 5.2
Documentum DAM Services
Documentum DFC Runtime Environment
Documentum Webtop
ewido anti-spyware 4.0
HijackThis 1.99.1
Intel® Extreme Graphics 2 Driver
IntelliJ IDEA 4.0
JAJC (remove only)
Jasc Paint Shop Pro 9
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.2_05
K-Lite Codec Pack 2.50 Full
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2003 - Componenti Web
Microsoft Office Basic Edition 2003
Microsoft Office Professional Edition 2003
Microsoft Script Debugger
Microsoft SQL Server 2000
Nero Suite
NeroVision Express 3 SE
Netscape (7.1)
PL/SQL Developer
Realtek AC'97 Audio
Spark 1.1.3
TopStyle (Version 3)
TortoiseCVS 1.8.13
Trend Micro OfficeScan Client
Universe Online WebControls for Java Setup
VMware Workstation
VNC Free Edition 4.1.1
Wildfire 2.5.1
Windows Server 2003 Service Pack 1
Windows System Updates {C34F4667-ADD4-4EAF-98D6-DCE034FB5CCF}
Windows System Updates {C521F31F-9E0E-45ED-89E4-BFBDB18E13A1}
Windows System Updates {ECDF2F0C-9B27-4C9F-B4F7-D917F14589A1}
WinRAR gestione archivi
WinZip
  • 0

#4
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Go to Add/Remove programs and uninstall this old version of Java:

Java 2 Runtime Environment, SE v1.4.2_05


* Now go here and install the latest version of Java.


* Click here to download haxfix.exe and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that a checkmark is placed by "Launch HaxFix".
  • Click "Finish"
  • A red "dos window" (dos box) will open with options:
    • 1. Make logfile
    • 2. Run auto fix
    • 3. Run manual fix
    • E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

  • 0

#5
dfarolfi

dfarolfi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello Firman1,
many thanks for your help.
I followed your instructions (BTW, HaxFix incorrectly checked OS version, I had to change 'fix.bat' in order to make it recognize my W2003), here is the resulting log:


HAXFIX logfile - by Marckie
______________
version 3.07
18/07/2006 10.08.07,45

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
CmBatt

checking for matching safeboot services....
no matching safeboot services found


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished
  • 0

#6
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
I apologize for the delay in response. I had back problems yesterday and just couldn't sit here in front of the computer.

1. Click here to download The Avenger by Swandog46 and save it to your desktop.
  • Right click on Avenger.zip and choose "Extract All" extract the avenger.exe file.
  • Extract it to your desktop
2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C) or right clicking it and choosing "Copy":

Files to delete:
C:\WINDOWS\SYSTEM32\winqlr32.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winqlr32


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Come back here to this thread. Copy and paste the contents of c:\avenger.txt into your reply along with a fresh HJT log .

Edited by Flrman1, 19 July 2006 - 03:41 PM.

  • 0

#7
dfarolfi

dfarolfi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello Firman1,

please do not apologize, since you are wasting your time for helping me.
I followed your instructions, but could not use Avenger, since it complained about OS (unsupported) version.
So I decided to proceed manually, deleting Registry key and .dll by myself.To accomplish this, I had to use KillBox ( 'Replace on reboot' function), since Windows Explorer didn't leave me kill winqlr32.dll, saying it was in use.
Now everything seems eventually to be fixed (my HJT log follows), thanks a lot for your help.

====================

Logfile of HijackThis v1.99.1
Scan saved at 10.20.30, on 20/07/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\Programmi\OfficeScan NT\tmlisten.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\system32\vmnat.exe
C:\Programmi\File comuni\System\MSSearch\Bin\mssearch.exe
C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\TEMP\PE18F.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\Programmi\OfficeScan NT\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documentum\product\5.2\bin\dm_agent_exec.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\Programmi\OfficeScan NT\pccntupd.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server2003:8090/CLASSLIFE/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Premium Clock] C:\Programmi\Premium Clock\Premium.exe /autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: WinMySQLadmin.lnk = C:\FoxServ\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://dcmt-00:8090/...ContentXfer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140250383706
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Apache Tomcat 4.1-Calendar - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Documentum DocBroker Service Docbroker (DmDocbroker) - Unknown owner - C:\Documentum\product\5.2\bin\dmdocbroker.exe
O23 - Service: Documentum Java Method Server (DmJavaMethodServer) - Alexandria Software Consulting - C:\Program Files\Documentum\tomcat\4.1.27\bin\tomcat.exe
O23 - Service: Documentum Docbase Service CLASSLIFE (DmServerCLASSLIFE) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: Documentum Docbase Service GESDOCNEWS (DmServerGESDOCNEWS) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: EncoderServer - Unknown owner - C:\encoderServer\wrapper_win32_3.1.2\bin\wrapper.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerLISTENER2 - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDCMTDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe


====================
  • 0

#8
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Sorry, I was overlooking the fact that you are running Windows Server. We don't get those very often.

Let's try an online scan now before we jump for joy. Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..
Note: You have to use Internet Explorer to do the online scan.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP