Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Video AX Object Malware Issue

Started by tfurru1 , Apr 28 2007 04:03 PM

  • Please log in to reply

#1
tfurru1
Posted 28 April 2007 - 04:03 PM

tfurru1

    New Member

  • Member
  • Pip
  • 8 posts
"It is in the task bar, can't be clicked on or removed. It just sits there and flashes between the two different circles and pops up all kinds of popups and webpages for virus removal software."

I have this exact same issue that another member had (guruwannabe) but before I found this forum, I deleted the contents of C:\Program Files\Video AX Object by killing the processes first. However, I still have the security alert icon that flashes in the task bar. I tried the instructions that guruwannabe received, but I still have the icon on my taskbar.

Here is my HijackThis log. Please help as I cannot figure out why the icon in the taskbar tray is still there and producing a popup with a security warning and directing me to http://www.spylocked.com/?aff=321. I don't think I am still hijacked as this time because using the SmitFraudFix application deleted my desktop background, a possible sign my laptop was no longer infected, but yet the icon is still there. Thanks for any analysis you can provide. I am pretty computer savvy, but don't see anything in the log that jumps out at me.

Logfile of HijackThis v1.99.1
Scan saved at 4:41:30 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
C:\InvScan\ISSrv.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Progra~1\inimannt\inimannt.exe
C:\invscan\DNATray.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BANK ONE CORPORATION
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconfig.bankone.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IE6Sp1 Arb Settings] "C:\Documents and Settings\All Users\Application Data\Profiles\IE6.Sp1\Arb.exe"
O4 - HKLM\..\Run: [MSOffice 2000 Profiles] "C:\Documents and Settings\All Users\Application Data\Profiles\Office\Prof486.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [smplsrch] c:\windows\system32\smplsrch.exe
O4 - HKLM\..\Run: [ISStart] C:\InvScan\isstart.exe -run
O4 - HKLM\..\Run: [Inimannt] c:\Progra~1\inimannt\inimannt.exe -n -p=c:\Progra~1\inimannt\inimannt.ini
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [NotesINICLeanup] C:\Program Files\Lotus\INICleanup\Ini6Clean.exe
O4 - HKLM\..\Run: [Desktop DNA Tray Icon] C:\invscan\DNATray.exe
O4 - HKLM\..\Run: [MSProject 2002 Professional Dynamic User Profiles] Prof2305.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.bankone.net/
O15 - Trusted Zone: http://helos-uat.chase.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qpchaseweb.chase.com/qp2.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://enterpriseqc....in/Spider80.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168952514584
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\Software\..\Telephony: DomainName = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bankone.net,chase.com,jpmchase.com,jpmorganchase.com,svr.bankone.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bankone.net,chase.com,jpmchase.com,jpmorganchase.com,svr.bankone.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bankone.net,chase.com,jpmchase.com,jpmorganchase.com,svr.bankone.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: CCM Monitor Service (CcmMonitor) - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EphdXlatService - Unknown owner - C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
O23 - Service: InvScan Service (ISService) - Bank One Corporation - C:\InvScan\ISSrv.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCG Protect - PC Guardian - C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WebClientSrv - PC Guardian Technologies, Inc. - C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

Advertisements

#2
Buckeye_Sam
Posted 28 April 2007 - 04:40 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#3
tfurru1
Posted 28 April 2007 - 05:00 PM

tfurru1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK, Below are the results of running 1.) Search on SmitFraudFix:

SmitFraudFix v2.171

Scan done at 17:58:25.81, Sat 04/28/2007
Run from C:\Documents and Settings\e028403\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
C:\InvScan\ISSrv.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Progra~1\inimannt\inimannt.exe
C:\invscan\DNATray.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\InvScan\invscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\e028403


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\e028403\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\e028403\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b23dc537-3e13-44c7-bf67-d8405eb377f7}"="bedstead"

[HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
@="C:\WINDOWS\system32\rcohty.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
@="C:\WINDOWS\system32\rcohty.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="ziswin.exe"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VM Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.94.163.100
DNS Server Search Order: 24.94.163.101

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4FC70F2E-D549-4ADA-AA8A-7634A29E66BF}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4FC70F2E-D549-4ADA-AA8A-7634A29E66BF}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4FC70F2E-D549-4ADA-AA8A-7634A29E66BF}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
Buckeye_Sam
Posted 28 April 2007 - 05:09 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


I also need to see another type of log.
Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
tfurru1
Posted 28 April 2007 - 05:52 PM

tfurru1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I ran SmitfraudFix.exe Option 2 but I still have the icon in my system tray with the popups.

Here are the results of running SmitfraudFix.exe Option 2 and running ComboFix.exe:

First SmitfraudFix.exe Option 2

SmitFraudFix v2.171

Scan done at 18:28:28.78, Sat 04/28/2007
Run from C:\Documents and Settings\e028403\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b23dc537-3e13-44c7-bf67-d8405eb377f7}"="bedstead"

[HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
@="C:\WINDOWS\system32\rcohty.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
@="C:\WINDOWS\system32\rcohty.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4FC70F2E-D549-4ADA-AA8A-7634A29E66BF}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4FC70F2E-D549-4ADA-AA8A-7634A29E66BF}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4FC70F2E-D549-4ADA-AA8A-7634A29E66BF}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="ziswin.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b23dc537-3e13-44c7-bf67-d8405eb377f7}"="bedstead"

[HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
@="C:\WINDOWS\system32\rcohty.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
@="C:\WINDOWS\system32\rcohty.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

And now ComboFix.exe

"E028403" - 07-04-28 18:42:16 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\e028403\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\install.log


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-28 18:36 16,384 --a----t- C:\TEMP\Perflib_Perfdata_5a0.dat
2007-04-28 17:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-28 17:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-28 17:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-28 16:03 3,760 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-28 09:49 <DIR> d-------- C:\Program Files\MW
2007-04-28 09:30 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-04-14 13:25 <DIR> d-------- C:\DOCUME~1\e028403\APPLIC~1\DivX
2007-04-12 10:52 <DIR> d-------- C:\Program Files\DivX
2007-04-06 08:46 <DIR> d-------- C:\RAZR
2007-04-05 08:08 8,192 --a------ C:\WINDOWS\system32\srvany.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 18:37 -------- d-------- C:\DOCUME~1\e028403\APPLIC~1\skype
2007-04-28 18:21 40 --a------ C:\WINDOWS\system32\profile.dat
2007-04-28 15:00 -------- d-------- C:\Program Files\remoteconnect
2007-04-28 11:02 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-28 09:37 -------- d-------- C:\Program Files\e!pc
2007-04-27 08:30 -------- d-------- C:\DOCUME~1\e028403\APPLIC~1\weatherbug
2007-04-19 12:35 7168 --a-s---- C:\WINDOWS\system32\rcohty.dll
2007-04-08 12:13 -------- d-------- C:\DOCUME~1\e028403\APPLIC~1\real
2007-03-27 02:55 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-03-27 02:55 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 02:55 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-03-27 02:55 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-03-27 02:49 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-03-27 02:49 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-03-27 02:49 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-03-27 02:49 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-03-27 02:49 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-03-27 02:49 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-03-27 02:49 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-03-27 02:49 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-03-27 02:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 02:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 02:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 02:48 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-03-11 14:09 16 --a------ C:\WINDOWS\popcinfo.dat
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-22 16:18 878 --a------ C:\DOCUME~1\e028403\APPLIC~1\adobedlm.log
2007-02-22 16:18 6 --a------ C:\DOCUME~1\e028403\APPLIC~1\dm.ini
2007-02-15 20:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-07 01:43 97 --a------ C:\DOCUME~1\e028403\APPLIC~1\sstraceprefs.xml


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IE6Sp1 Arb Settings"="\"C:\\Documents and Settings\\All Users\\Application Data\\Profiles\\IE6.Sp1\\Arb.exe\""
"MSOffice 2000 Profiles"="\"C:\\Documents and Settings\\All Users\\Application Data\\Profiles\\Office\\Prof486.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"NDPS"="C:\\WINDOWS\\System32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EABSERVR.EXE /Start"
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"smplsrch"="c:\\windows\\system32\\smplsrch.exe"
"ISStart"="C:\\InvScan\\isstart.exe -run"
"Inimannt"="c:\\Progra~1\\inimannt\\inimannt.exe -n -p=c:\\Progra~1\\inimannt\\inimannt.ini"
"ZENRC Tray Icon"="C:\\WINDOWS\\System32\\zentray.exe"
"NotesINICLeanup"="C:\\Program Files\\Lotus\\INICleanup\\Ini6Clean.exe"
"Desktop DNA Tray Icon"="C:\\invscan\\DNATray.exe"
"MSProject 2002 Professional Dynamic User Profiles"="Prof2305.exe"
"EPHD User"="\"C:\\Program Files\\PC Guardian\\EP Hard Disk\\User\\LaunchEPHD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\SYMANT~2\\VPTray.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"RunLogonScriptSync"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"WallpaperStyle"="0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=dword:00000001
"NoToolbarCustomize"=dword:00000000
"NoBandCustomize"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=dword:00000000
"Btn_Forward"=dword:00000000
"Btn_Stop"=dword:00000000
"Btn_Refresh"=dword:00000000
"Btn_Home"=dword:00000000
"Btn_Search"=dword:00000000
"Btn_History"=dword:00000000
"Btn_Favorites"=dword:00000000
"Btn_Media"=dword:00000000
"Btn_Folders"=dword:00000000
"Btn_Fullscreen"=dword:00000000
"Btn_Tools"=dword:00000000
"Btn_MailNews"=dword:00000000
"Btn_Size"=dword:00000000
"Btn_Print"=dword:00000000
"Btn_Edit"=dword:00000000
"Btn_Discussions"=dword:00000000
"Btn_Cut"=dword:00000000
"Btn_Copy"=dword:00000000
"Btn_Paste"=dword:00000000
"Btn_Encoding"=dword:00000000
"Btn_PrintPreview"=dword:00000000
"NoSetActiveDesktop"=dword:00000001
"NoRecentDocsHistory"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoLogoff"=dword:00000000
"NoClose"=dword:00000000
"NoFileMenu"=dword:00000000
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoManageMyComputerVerb"=dword:00000001
"NoResolveTrack"=dword:00000001
"NoResolveSearch"=dword:00000001
"NoInstrumentation"=dword:00000001
"NoChangeAnimation"=dword:00000001
"Intellimenus"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoWindowsUpdate"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoRecentDocsNetHood"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"NoSimpleStartMenu"=dword:00000001
"NoWelcomeScreen"=dword:00000001
"DisallowCpl"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]
"1"="Administrative Tools"
"2"="joy.cpl"
"3"="nusrmgr.cpl"
"4"="nwc.cpl"
"5"="speech"
"6"="Taskbar and Start Menu"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{b23dc537-3e13-44c7-bf67-d8405eb377f7}"="bedstead"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="ziswin.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 18:45:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-28 18:46:07
C:\ComboFix-quarantined-files.txt ... 07-04-28 18:46
  • 0

#6
Buckeye_Sam
Posted 28 April 2007 - 07:59 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Sometimes the tool runs across a new variant that it can't handle yet and then we have to do this manually.


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b23dc537-3e13-44c7-bf67-d8405eb377f7}"=-

[-HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}\InProcServer32]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



================



Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"


C:\WINDOWS\system32\rcohty.dll


Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.


Please post a new log from Combofix.
Let me know how your is working now.
  • 0

#7
tfurru1
Posted 30 April 2007 - 09:07 AM

tfurru1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi! Sorry for the delay, but I was offline the rest of the weekend and just ran Killbox this morning. That .dll file was the remaining culprit!! The icon and popups are now gone and everything is working perfectly! Thanks!! :whistling: :blink: :help:

Here is my latest ComboFix log:

"E028403" - 07-04-30 9:39:06 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\e028403\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))


2007-04-30 09:18 <DIR> d-------- C:\TEMP\notesbuddy
2007-04-30 09:12 <DIR> d-------- C:\TEMP\VBE
2007-04-30 09:04 <DIR> d-------- C:\TEMP\notesA448F4
2007-04-30 08:57 <DIR> d-------- C:\!KillBox
2007-04-28 18:46 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-28 17:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-28 17:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-28 17:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-28 16:03 3,760 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-28 09:49 <DIR> d-------- C:\Program Files\MW
2007-04-28 09:30 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-04-14 13:25 <DIR> d-------- C:\DOCUME~1\e028403\APPLIC~1\DivX
2007-04-12 10:52 <DIR> d-------- C:\Program Files\DivX
2007-04-06 08:46 <DIR> d-------- C:\RAZR
2007-04-05 08:08 8,192 --a------ C:\WINDOWS\system32\srvany.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-30 09:41 -------- d-------- C:\DOCUME~1\e028403\APPLIC~1\skype
2007-04-30 09:11 -------- d-------- C:\Program Files\remoteconnect
2007-04-30 09:10 -------- d-------- C:\Program Files\securid software token
2007-04-30 08:58 40 --a------ C:\WINDOWS\system32\profile.dat
2007-04-28 11:02 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-28 09:37 -------- d-------- C:\Program Files\e!pc
2007-04-27 08:30 -------- d-------- C:\DOCUME~1\e028403\APPLIC~1\weatherbug
2007-04-08 12:13 -------- d-------- C:\DOCUME~1\e028403\APPLIC~1\real
2007-03-27 02:55 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-03-27 02:55 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 02:55 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-03-27 02:55 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-03-27 02:49 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-03-27 02:49 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-03-27 02:49 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-03-27 02:49 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-03-27 02:49 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-03-27 02:49 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-03-27 02:49 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-03-27 02:49 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-03-27 02:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 02:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 02:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 02:48 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-03-11 14:09 16 --a------ C:\WINDOWS\popcinfo.dat
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-22 16:18 878 --a------ C:\DOCUME~1\e028403\APPLIC~1\adobedlm.log
2007-02-22 16:18 6 --a------ C:\DOCUME~1\e028403\APPLIC~1\dm.ini
2007-02-15 20:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-07 01:43 97 --a------ C:\DOCUME~1\e028403\APPLIC~1\sstraceprefs.xml


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IE6Sp1 Arb Settings"="\"C:\\Documents and Settings\\All Users\\Application Data\\Profiles\\IE6.Sp1\\Arb.exe\""
"MSOffice 2000 Profiles"="\"C:\\Documents and Settings\\All Users\\Application Data\\Profiles\\Office\\Prof486.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"NDPS"="C:\\WINDOWS\\System32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EABSERVR.EXE /Start"
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"smplsrch"="c:\\windows\\system32\\smplsrch.exe"
"ISStart"="C:\\InvScan\\isstart.exe -run"
"Inimannt"="c:\\Progra~1\\inimannt\\inimannt.exe -n -p=c:\\Progra~1\\inimannt\\inimannt.ini"
"ZENRC Tray Icon"="C:\\WINDOWS\\System32\\zentray.exe"
"NotesINICLeanup"="C:\\Program Files\\Lotus\\INICleanup\\Ini6Clean.exe"
"Desktop DNA Tray Icon"="C:\\invscan\\DNATray.exe"
"MSProject 2002 Professional Dynamic User Profiles"="Prof2305.exe"
"EPHD User"="\"C:\\Program Files\\PC Guardian\\EP Hard Disk\\User\\LaunchEPHD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\SYMANT~2\\VPTray.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"RunLogonScriptSync"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"WallpaperStyle"="0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=dword:00000001
"NoToolbarCustomize"=dword:00000000
"NoBandCustomize"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=dword:00000000
"Btn_Forward"=dword:00000000
"Btn_Stop"=dword:00000000
"Btn_Refresh"=dword:00000000
"Btn_Home"=dword:00000000
"Btn_Search"=dword:00000000
"Btn_History"=dword:00000000
"Btn_Favorites"=dword:00000000
"Btn_Media"=dword:00000000
"Btn_Folders"=dword:00000000
"Btn_Fullscreen"=dword:00000000
"Btn_Tools"=dword:00000000
"Btn_MailNews"=dword:00000000
"Btn_Size"=dword:00000000
"Btn_Print"=dword:00000000
"Btn_Edit"=dword:00000000
"Btn_Discussions"=dword:00000000
"Btn_Cut"=dword:00000000
"Btn_Copy"=dword:00000000
"Btn_Paste"=dword:00000000
"Btn_Encoding"=dword:00000000
"Btn_PrintPreview"=dword:00000000
"NoSetActiveDesktop"=dword:00000001
"NoRecentDocsHistory"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoLogoff"=dword:00000000
"NoClose"=dword:00000000
"NoFileMenu"=dword:00000000
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoManageMyComputerVerb"=dword:00000001
"NoResolveTrack"=dword:00000001
"NoResolveSearch"=dword:00000001
"NoInstrumentation"=dword:00000001
"NoChangeAnimation"=dword:00000001
"Intellimenus"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoWindowsUpdate"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoRecentDocsNetHood"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"NoSimpleStartMenu"=dword:00000001
"NoWelcomeScreen"=dword:00000001
"DisallowCpl"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]
"1"="Administrative Tools"
"2"="joy.cpl"
"3"="nusrmgr.cpl"
"4"="nwc.cpl"
"5"="speech"
"6"="Taskbar and Start Menu"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="ziswin.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-30 09:43:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-30 9:43:50
C:\ComboFix-quarantined-files.txt ... 07-04-30 09:43
C:\ComboFix2.txt ... 07-04-28 18:46
  • 0

#8
Buckeye_Sam
Posted 30 April 2007 - 11:52 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We're looking good! :whistling:

Use Killbox to delete these files also.

C:\WINDOWS\nircmd.exe
C:\WINDOWS\system32\tmp.reg


And post one more hijackthis log just so I can get one more look for anything suspicious.
  • 0

#9
tfurru1
Posted 30 April 2007 - 05:09 PM

tfurru1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I deleted those two files with Killbox and ran HijackThis again. Thanks again for all of your help! I hope others donate like I did to keep this site going. It is an excellent resource!!! :blink: :whistling:

Here is the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:46 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
C:\InvScan\ISSrv.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Progra~1\inimannt\inimannt.exe
C:\invscan\DNATray.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\e028403\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranetporta...a8a0fe6829130a0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconfig.bankone.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IE6Sp1 Arb Settings] "C:\Documents and Settings\All Users\Application Data\Profiles\IE6.Sp1\Arb.exe"
O4 - HKLM\..\Run: [MSOffice 2000 Profiles] "C:\Documents and Settings\All Users\Application Data\Profiles\Office\Prof486.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [smplsrch] c:\windows\system32\smplsrch.exe
O4 - HKLM\..\Run: [ISStart] C:\InvScan\isstart.exe -run
O4 - HKLM\..\Run: [Inimannt] c:\Progra~1\inimannt\inimannt.exe -n -p=c:\Progra~1\inimannt\inimannt.ini
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [NotesINICLeanup] C:\Program Files\Lotus\INICleanup\Ini6Clean.exe
O4 - HKLM\..\Run: [Desktop DNA Tray Icon] C:\invscan\DNATray.exe
O4 - HKLM\..\Run: [MSProject 2002 Professional Dynamic User Profiles] Prof2305.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.bankone.net/
O15 - Trusted Zone: http://helos-uat.chase.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qpchaseweb.chase.com/qp2.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://enterpriseqc....in/Spider80.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168952514584
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\Software\..\Telephony: DomainName = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bankone.net,chase.com,jpmchase.com,jpmorganchase.com,svr.bankone.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NAEAST.AD.JPMORGANCHASE.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bankone.net,chase.com,jpmchase.com,jpmorganchase.com,svr.bankone.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bankone.net,chase.com,jpmchase.com,jpmorganchase.com,svr.bankone.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: CCM Monitor Service (CcmMonitor) - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EphdXlatService - Unknown owner - C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
O23 - Service: InvScan Service (ISService) - Bank One Corporation - C:\InvScan\ISSrv.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCG Protect - PC Guardian - C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WebClientSrv - PC Guardian Technologies, Inc. - C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#10
Buckeye_Sam
Posted 01 May 2007 - 12:29 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks clean to me! :whistling:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:blink: :help:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP