Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT log for review[RESOLVED]

Started by abigrrrl , Apr 13 2005 12:23 AM

  • This topic is locked This topic is locked

#1
abigrrrl
Posted 13 April 2005 - 12:23 AM

abigrrrl

    Member

  • Member
  • PipPip
  • 12 posts
bringing a sister's (seriously outdated) 2K box up to date and have eradicated all major system errors but this last pop up issue. (i think at this point im just tired)have installed all necessary win 2K updates, uninstalled all non-essential progs and deleted all temp files. d/l'ded adaware v6.0, msconfig to try and troubleshoot issue; still cant get rid of these popups and unwanted search bar in IE. any help much appreciated, as netscape just doesnt cut it-- shes gotta have her IE! :tazz: heres the HJT ::

Logfile of HijackThis v1.99.1
Scan saved at 11:19:47 PM, on 4/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Ganymede\Endpoint\endpoint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Darden Business School
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CarralesC03\Application Data\Mozilla\Profiles\default\h8vorb34.slt\prefs.js)
O1 - Hosts: 128.143.59.60 DARDENMAIL
O1 - Hosts: 128.143.59.62 STUMAIL
O1 - Hosts: 128.143.59.62 PONYEXPRESS
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - c:\sysfwb\8158676349\iefwbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ganymede Software Endpoint (GanymedeSoftwareEndpoint) - Ganymede Software Inc. - C:\Ganymede\Endpoint\endpoint.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

thx in advance-- LJ--abigrrrl
  • 0

Advertisements

#2
miekiemoes
Posted 13 April 2005 - 12:54 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi there,

I see you have Adaware 6 installed. That version of Adaware is an old one and doesn't update anymore. So I suggest you uninstall it again and download the new Adaware SE.

http://www.lavasoft....pport/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - c:\sysfwb\8158676349\iefwbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe

For the next ones.. I assume that you added those yourself in your hostfile? If not, check them:

O1 - Hosts: 128.143.59.60 DARDENMAIL
O1 - Hosts: 128.143.59.62 STUMAIL
O1 - Hosts: 128.143.59.62 PONYEXPRESS

Are you aware that there are restrictions present in your internet explorer. Some programs like spybot search and destroy add those lines; or an administrator.
If you're not aware of it, check them:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

* Click on Fix Checked when finished and exit HijackThis.


* Reboot into Safe Mode`: !! Important!!
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following folder, and delete it:

c:\sysfwb <== this folder

* Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.

* Reboot your system back to normal mode.

Post back a fresh HijackThis log and I'll take another look.

If you had any problems with deleting files or noticed any other problems during your fix, let me also know in your next reply.
  • 0

#3
abigrrrl
Posted 14 April 2005 - 02:16 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok, couldnt login under safe mode. its not accepting the password. i went ahead and put the most updated HJT below, although its probably a moot point right now. any suggestions on how to circumvent the un/pw request in safe mode?
thx, abi

Logfile of HijackThis v1.99.1
Scan saved at 1:06:07 PM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Ganymede\Endpoint\endpoint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Darden Business School
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CarralesC03\Application Data\Mozilla\Profiles\default\h8vorb34.slt\prefs.js)
O1 - Hosts: 128.143.59.60 DARDENMAIL
O1 - Hosts: 128.143.59.62 STUMAIL
O1 - Hosts: 128.143.59.62 PONYEXPRESS
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ganymede Software Endpoint (GanymedeSoftwareEndpoint) - Ganymede Software Inc. - C:\Ganymede\Endpoint\endpoint.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#4
miekiemoes
Posted 14 April 2005 - 03:53 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Can't you just login in safe mode without entering a pasword?
It is important you have to run that fix in safe mode, because in normal mode, those files aren't visible, even with hidden folders and files displayed.
And there are a lot of them..

Maybe, we can try to use the next tool to trace them.
I just hope it will show them in normal mode..

Download rkfiles.zip
UNZIP the contents to a permanent folder

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

Edited by miekiemoes, 14 April 2005 - 03:54 PM.

  • 0

#5
abigrrrl
Posted 14 April 2005 - 04:44 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I can't login under safe mode w/out proper UN/PW; I have no idea what these could be given that her usual windows un/pw isn't working and shes only ever had what she uses now for normal startup. Tried cancelling out, no-go. Tried deleting all fields and hitting OK, no-go. Whatev... Locked myself out a few times trying common test un/pw combos, to no avail.
But here's the log, hopefully this works. I'm guessing pop2.exe is it?... Dunno what pacis is...
~thx


C:\HJT

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\pacis.exe: UPX!
C:\WINNT\system32\pop2.exe: UPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\wupdsnff.exe: UPX!
Finished
bye
  • 0

#6
miekiemoes
Posted 14 April 2005 - 05:16 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

As I thought... the files I wanted to see are not present in rkfiles. But it did show some other files that need to get deleted too.

I don't know really how to solve it for the elite-infection you have, because they are only visible in safe mode (and there are a bunch of them)
But we can give it a try and delete that file that is visible in the log. Normally, after every reboot, the file changes... so after all, we can trace them all. :tazz:

Because you can't boot in safe mode, we'll need an extra tool to delete those files.

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINNT\system32\pacis.exe
C:\WINNT\system32\pop2.exe
C:\WINNT\wupdsnff.exe
C:\winnt\system32\elitennh32.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your system will reboot now.

Also look if following are present and delete them:

C:\WINDOWS\system32\temperror32.dat
C:\windows\EliteToolbar or EliteSidebar
C:\WINDOWS\system32\elitedoolsav.dat
C:\WINDOWS\system32\eliteerror32.dat

If you have problems with deleting some of them, please also tell me.

Post a new hijackthislog.

Edited by miekiemoes, 14 April 2005 - 05:18 PM.

  • 0

#7
abigrrrl
Posted 14 April 2005 - 09:15 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here the latest HJT after using killbox. I was able to delete the .exe's, but coulnt find the .dats to delete.

thx--abi

Logfile of HijackThis v1.99.1
Scan saved at 8:09:34 PM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Ganymede\Endpoint\endpoint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Darden Business School
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CarralesC03\Application Data\Mozilla\Profiles\default\h8vorb34.slt\prefs.js)
O1 - Hosts: 128.143.59.60 DARDENMAIL
O1 - Hosts: 128.143.59.62 STUMAIL
O1 - Hosts: 128.143.59.62 PONYEXPRESS
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ganymede Software Endpoint (GanymedeSoftwareEndpoint) - Ganymede Software Inc. - C:\Ganymede\Endpoint\endpoint.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#8
miekiemoes
Posted 15 April 2005 - 01:48 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, as I thought.

Let's see if it comes back afterwards:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe

* Click on Fix Checked when finished and exit HijackThis.

REBOOT and post a new log.

There must be a way to get the administrators password or change it..

Try this:

One or both of these should help :-

Start, Run and type "control userpasswords2" (type the space but not the quotes) and untick "Users must enter ......".

To be an administrator Start, Run and type "control userpasswords2" (type the space but not the quotes), click Properties against your name and make yourself an administrator.

You can also change the admin password over there. You don't need to know the old password to change it.
  • 0

#9
abigrrrl
Posted 16 April 2005 - 05:58 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
clicked on both programs to "fix" unfortunately, after reboot the popups are still occuring-- but its nowhere near as bad as it was and i thank you!
now, on to the admin pass thing...


Logfile of HijackThis v1.99.1
Scan saved at 4:50:40 PM, on 4/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Ganymede\Endpoint\endpoint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Darden Business School
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CarralesC03\Application Data\Mozilla\Profiles\default\h8vorb34.slt\prefs.js)
O1 - Hosts: 128.143.59.60 DARDENMAIL
O1 - Hosts: 128.143.59.62 STUMAIL
O1 - Hosts: 128.143.59.62 PONYEXPRESS
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ganymede Software Endpoint (GanymedeSoftwareEndpoint) - Ganymede Software Inc. - C:\Ganymede\Endpoint\endpoint.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#10
abigrrrl
Posted 16 April 2005 - 06:11 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
also, nothing happens when i do start>run>control userpassswords2 no window opens; nada. /:tazz: am i missing something?
  • 0

Advertisements

#11
miekiemoes
Posted 16 April 2005 - 06:14 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
That is really the problem in here...as long as you can't boot in safe mode to delete those files, it wont go away.
Using the recovery console from the original cdrom to run the batch (LQfix) wont work either, because you need to know the adminpassword again. :tazz:

Let's try to killbox the next file again:

Click killbox.exe.
Select the option "Delete on reboot".
In the field labeled "Full Path of File to Delete" copy and paste next:

C:\winnt\system32\elitennh32.exe

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES

Your system must reboot now.

Check and fix next line in hijackthis again:

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitennh32.exe

Try this tool
Unzip it and run it.
I don't think it will really work, because it also needs to be run in safe mode, but we can give it a try.

Reboot again and post a new hijackthislog.
  • 0

#12
miekiemoes
Posted 16 April 2005 - 06:21 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

also, nothing happens when i do start>run>control userpassswords2 no window opens; nada.  /:tazz:  am i missing something?

View Post


Hmm. i thought this would work on win 2000 too.
I could be wrong in here.

Here I found some more info. Maybe it can help: http://home.eunet.no...rdahl/ntpasswd/
  • 0

#13
abigrrrl
Posted 16 April 2005 - 06:26 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK; scratch that tried it as
start>run>control userpasswords
with out the '2'

but it says the username im currently attempting to login with is in the administrators group; i cant imagine it being a domain issue as you naturally are just loggining into your local PC when in safe mode, no? although it looks like shes got the same setup for the local domain as well. let me know if you need some screen shots and i can email them , or something...
thx!

Edited by abigrrrl, 16 April 2005 - 06:30 PM.

  • 0

#14
miekiemoes
Posted 16 April 2005 - 06:31 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Well, if your sister did setup this all, she must know the password then?
Hmm.. I really don't have knowledge in that stuff according to passwords and how to reset/regain them. :tazz:
  • 0

#15
abigrrrl
Posted 16 April 2005 - 06:54 PM

abigrrrl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i got in!! whew~
of course, i couldnt find my list of instructions so i had log out and come back here-- der... im wondering if it has anything to do with the fact that i had logged in just prior to that into the "this PC" domain vs. the global one.. its funny, cause i had reset the passowrds for her profile in the local domain and tried the same for the global one and i got a "this domain unavailable" error. i think somehow, somewhere the profiles are a little mixed up; she used to use her school's I-net access and now shes on sbc dsl and i recall having a strange issue with renaming crap right after they moved. ok, sorry-- overshare..
god will i be glad when these pop ups are gone! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP