Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Microsoft visual C++ run time error


  • This topic is locked This topic is locked

#1
wassupsergio

wassupsergio

    Member

  • Member
  • PipPip
  • 30 posts
I get this error when I log into my account but when another account logs in this pc no error is found.

Microsoft Visual C++ Runtime library
Runtime error!!
Program: C:\WINNT\explorer.exe

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support teamfor more information.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:17 PM, on 3/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\system32\picsvr\picsvr.exe
C:\WINNT\system32\rprlna.exe
c:\winnt\system32\jsesnjpx.exe
c:\winnt\system32\packager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpc32.exe
C:\Documents and Settings\kientl\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [WinLogon] C:\WINNT\logon.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O4 - HKLM\..\Run: [jsesnjpx] c:\winnt\system32\jsesnjpx.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome

Need you to do a few things here please,

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT
Drag HJT into this folder please,

Next,
Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “logon.exe, picsvr.exe, wupdt.exe, rprlna.exe, jsesnjpx.exe “ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WinLogon] C:\WINNT\logon.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O4 - HKLM\..\Run: [jsesnjpx] c:\winnt\system32\jsesnjpx.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\WINNT\ceres.dll
C:\WINNT\systb.dll
C:\WINNT\logon.exe
C:\WINNT\wupdt.exe
C:\WINNT\system32\rprlna.exe
c:\winnt\system32\jsesnjpx.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe <--delete Folder
C:\WINNT\isrvs\mfiltis.dll < This may be sitting in a folder as well delete it please

Restart your computer, restart HJT and post back a fresh log
  • 0

#3
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:23:40 PM, on 4/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\system32\rprlna.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#4
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
isregard Top log file this is the most recent one.


Logfile of HijackThis v1.99.1
Scan saved at 3:37:21 PM, on 4/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\system32\rprlna.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpc32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#5
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe

If this isn't set by you or your Admin, or a third party software have HJT fix it as well please
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINNT\system32\rprlna.exe


Restart your computer, Post back a fresh log please

Let us know how the computer is runnning please

Edited by don77, 01 April 2005 - 07:39 PM.

  • 0

#6
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:35:00 PM, on 4/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\system32\rprlna.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\lopezs\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#7
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
What the... I got a pop up while I was away form the computer and now so much stuff is installed again.

Logfile of HijackThis v1.99.1
Scan saved at 2:13:14 PM, on 4/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\rprlna.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
C:\WINNT\system32\picsvr\picsvr.exe
c:\winnt\system32\jsesnjpx.exe
c:\winnt\system32\packager.exe
C:\WINNT\system32\aircity.exe
C:\WINNT\system32\aircity.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\lopezs\LOCALS~1\Temp\DrTemp\thnall1p.exe
C:\HJT\HijackThis.exe
C:\DOCUME~1\lopezs\LOCALS~1\Temp\THI7B2A.tmp\spike.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\lopezs\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINNT\sixtypopsix.exe
O4 - HKLM\..\Run: [zupyjcl] C:\WINNT\zupyjcl.exe
O4 - HKLM\..\Run: [jsesnjpx] c:\winnt\system32\jsesnjpx.exe
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\system32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [aircity] C:\WINNT\system32\aircity.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\RunOnce: [aircity] C:\WINNT\system32\aircity.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please download and run this tool
Betterinternet removal

Reboot and post back a fresh HJT log please,
  • 0

#9
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I can't run it since I dont' admin privileges
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Go to Add/Remove Programs and remove the following if found.
SurfSideKick 2
180Solutions
N-Case

Reboot your computer

Go Here download and install Cleanup!
Don't run it yet,
Next
Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “thnall1p.exe, spike.exe, aircity.exe “ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINNT\sixtypopsix.exe
O4 - HKLM\..\Run: [zupyjcl] C:\WINNT\zupyjcl.exe
O4 - HKLM\..\Run: [jsesnjpx] c:\winnt\system32\jsesnjpx.exe
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\system32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [aircity] C:\WINNT\system32\aircity.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\RunOnce: [aircity] C:\WINNT\system32\aircity.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\WINNT\dlmax.dll
C:\Program Files\E2G\IeBHOs.dll <--Delete Folder
C:\WINNT\system32\rprlna.exe
c:\winnt\180ax.exe
C:\WINNT\sixtypopsix.exe
C:\WINNT\zupyjcl.exe
c:\winnt\system32\jsesnjpx.exe
C:\WINNT\mm15201518.Stub.exe
C:\Program Files\SurfSideKick 2\Ssk.exe <--Delete Folder
OC:\WINNT\wupdt.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
C:\WINNT\system32\picsvr\picsvr.exe
C:\WINNT\system32\aircity.exe


Now open Cleanup!, Click Cleanup and let it do its thing
It will ask you to reboot click Yes

Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.

Edited by don77, 02 April 2005 - 09:11 PM.

  • 0

Advertisements


#11
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:21:30 PM, on 4/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\system32\rprlna.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#12
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I forgot to put the log from the onlien scan it found 5 viruses.
TROJ_SMALL.CB
TROJ_AGENT.BT
TROJ_AGENT.MR
TROJ_QLOGIC.A
TROJ_SMALL.ABT

They were all deleted from system.

Wasn't able to scan with pandascan as it gave me an error when tried to scan.
  • 0

#13
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok we seem to be gaining on it again,
Download Pocket Killbox from. Here Paste the full file path (C:\WINNT\system32\rprlna.exe ) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.
Let us know how you make out
  • 0

#14
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:12:41 PM, on 4/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - Global Startup: dkdc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#15
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok we are getting there,

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O4 - Global Startup: dkdc.exe

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

dkdc.exe

Restart your computer, Post back a fresh log please

Next,

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Run a scan with it please, have it fix all it finds,
Restart your computer

Post backa fresh log please
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP