Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

a:b and CoolWebSearch won't go away [RESOLVED]

Started by jaysin , Apr 14 2005 08:37 AM

  • This topic is locked This topic is locked

#1
jaysin
Posted 14 April 2005 - 08:37 AM

jaysin

    Member

  • Member
  • PipPip
  • 15 posts
my first post here. hope i followed directions right.
installed all software recommended.
they seem to find all the things i thought was there, and then looks like they are cleaning, but the malware/trojans keep coming back.
also every new ie window comes with a
C:\WIN2K\ShellIconCache:rfroot trojan detected by McAfee.

here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:08 AM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\mspmspsv.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\WIN2K\netss32.exe
C:\WIN2K\system32\rundll32.exe
C:\WIN2K\ipfj32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WIN2K\system32\pctspk.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Common Files\Compuware\cwaftrcsrv.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\jslvz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compuware Corporation
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E5EA22AB-4F6B-A697-C966-AD102CC207D9} - C:\WIN2K\iepb.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ipfj32.exe] C:\WIN2K\ipfj32.exe
O4 - HKLM\..\Run: [USBPAD] UsbPad.exe Install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WIN2K\system32\netat32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O4 - Global Startup: Test Execution Server.lnk = C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
O4 - Global Startup: USB KeyPad.lnk = C:\WIN2K\USBPad.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN2K\System32\Shdocvw.dll
O9 - Extra button: Phone Book - {AA0850BA-2281-4487-BB23-79CD86CD65F1} - http://compuapps1.co...jamorgchart.asp (file missing) (HKCU)
O9 - Extra button: Helpdesk - {E722A195-8277-4207-9DC0-5E9509DC3608} - http://compuweb.comp...lp/contacts.htm (file missing) (HKCU)
O9 - Extra button: Standards - {EEFB7A5F-FE31-4BDD-841C-1C291E928609} - http://compuweb.comp...ers/default.htm (file missing) (HKCU)
O9 - Extra button: Webmail - {F0035C52-A157-4528-A2C7-3155D3D3908B} - https://webmail1.com...hange/logon.asp (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://compuweb.compuware.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb...es/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compuwaremc....bex/ieatgpc.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://aweb.nl.compu...ion/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54343B9-A8E1-412B-B111-0C6148BEA62C}: Domain = compuware.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WIN2K\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Test Management Server (TmSrvService) - Compuware Corporation - C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tmsrv.exe



Also, here is my Panda ActiveScan:

Incident Status Location

Adware:Adware/Sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF175GLF175.EXE
Adware:Adware/Sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF9GLF9.EXE
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5847.tmp[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[Beyond.class]
Adware:Adware/Sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\targetsaver.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[Beyond.class]
Virus:Trj/Downloader.BWD Disinfected C:\ml00!.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_38.dll
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\uninstall6_38.exe
Adware:Adware/EasySearch No disinfected C:\RECYCLER\S-1-5-21-329068152-764733703-1343024091-1004\Dc65.dll
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\addac.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\adddl.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\addia.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\crge.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\d3zc.exe
Adware:Adware/FunWeb No disinfected C:\WIN2K\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Spyware:Spyware/YourSiteBar No disinfected C:\WIN2K\Downloaded Program Files\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WIN2K\Downloaded Program Files\ysbactivex.inf
Adware:Adware/SearchAid No disinfected C:\WIN2K\iepb.dll
Adware:Adware/SearchAid No disinfected C:\WIN2K\ipfj32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\javaak32.exe
Adware:Adware/EasySearch No disinfected C:\WIN2K\jslvz.dll
Spyware:Spyware/New.net No disinfected C:\WIN2K\NDNuninstall6_38.exe
Virus:Trj/Downloader.BSU No disinfected C:\WIN2K\netss32.exe
Spyware:Spyware/MarketScore No disinfected C:\WIN2K\system32\rk.exe

Thanks a lot, for any help!
  • 0

Advertisements

#2
jaysin
Posted 14 April 2005 - 08:37 PM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
:tazz:
  • 0

#3
Michelle
Posted 14 April 2005 - 11:39 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, Jaysin - Let's get this party started! :tazz:

First, let's get rid of your Internet Access HiJack...

Get rid of NewDotNet by going to: Start > Control Panel > Add/Remove Programs and remove it (i.e. New.Net Application or New.Net Domains). If it is not there, go here and follow Procedure 4: NewDotNet. At the very bottom of that page, it says:

For NewDotNet removal instructions, please click here

That's where you need to click to get to removal procedure 4 (ONLY if you can't find the New.Net in Add/Remove programs).
  • 0

#4
jaysin
Posted 18 April 2005 - 05:50 AM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I appreciate your help.
Okay.. newdotnet removed. here's my latest hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 7:47:22 AM, on 4/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\mspmspsv.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WIN2K\system32\pctspk.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WIN2K\sysnf32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Common Files\Compuware\cwaftrcsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compuware Corporation
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D623E4CA-9FA0-D46F-69FF-3A509206DEB7} - C:\WIN2K\system32\javadw.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [USBPAD] UsbPad.exe Install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WIN2K\system32\netat32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [sysnf32.exe] C:\WIN2K\sysnf32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O4 - Global Startup: Test Execution Server.lnk = C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
O4 - Global Startup: USB KeyPad.lnk = C:\WIN2K\USBPad.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN2K\System32\Shdocvw.dll
O9 - Extra button: Phone Book - {AA0850BA-2281-4487-BB23-79CD86CD65F1} - http://compuapps1.co...jamorgchart.asp (file missing) (HKCU)
O9 - Extra button: Helpdesk - {E722A195-8277-4207-9DC0-5E9509DC3608} - http://compuweb.comp...lp/contacts.htm (file missing) (HKCU)
O9 - Extra button: Standards - {EEFB7A5F-FE31-4BDD-841C-1C291E928609} - http://compuweb.comp...ers/default.htm (file missing) (HKCU)
O9 - Extra button: Webmail - {F0035C52-A157-4528-A2C7-3155D3D3908B} - https://webmail1.com...hange/logon.asp (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://compuweb.compuware.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb...es/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compuwaremc....bex/ieatgpc.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://aweb.nl.compu...ion/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54343B9-A8E1-412B-B111-0C6148BEA62C}: Domain = compuware.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WIN2K\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Test Management Server (TmSrvService) - Compuware Corporation - C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tmsrv.exe
  • 0

#5
Michelle
Posted 18 April 2005 - 10:59 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\Documents and Settings\Administrator\Local Settings\Temp\GLF175GLF175.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\GLF9GLF9.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\targetsaver.exe
C:\Program Files\NewDotNet\newdotnet6_38.dll
C:\Program Files\NewDotNet\uninstall6_38.exe
C:\RECYCLER\S-1-5-21-329068152-764733703-1343024091-1004\Dc65.dll
C:\WIN2K\Downloaded Program Files\f3initialsetup1.0.0.8.inf
C:\WIN2K\Downloaded Program Files\YSBactivex.dll
C:\WIN2K\Downloaded Program Files\ysbactivex.inf
C:\WIN2K\iepb.dll
C:\WIN2K\ipfj32.exe
C:\WIN2K\javaak32.exe
C:\WIN2K\system32\rk.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

Post a new HiJackThis log.
  • 0

#6
jaysin
Posted 18 April 2005 - 04:06 PM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok.. check. here's the latest log.

Logfile of HijackThis v1.99.1
Scan saved at 6:04:21 PM, on 4/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\mspmspsv.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WIN2K\system32\pctspk.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WIN2K\sysnf32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Compuware\cwaftrcsrv.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN2K\system32\hkzlq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compuware Corporation
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D623E4CA-9FA0-D46F-69FF-3A509206DEB7} - C:\WIN2K\system32\javadw.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [USBPAD] UsbPad.exe Install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WIN2K\system32\netat32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [sysnf32.exe] C:\WIN2K\sysnf32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O4 - Global Startup: Test Execution Server.lnk = C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
O4 - Global Startup: USB KeyPad.lnk = C:\WIN2K\USBPad.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN2K\System32\Shdocvw.dll
O9 - Extra button: Phone Book - {AA0850BA-2281-4487-BB23-79CD86CD65F1} - http://compuapps1.co...jamorgchart.asp (file missing) (HKCU)
O9 - Extra button: Helpdesk - {E722A195-8277-4207-9DC0-5E9509DC3608} - http://compuweb.comp...lp/contacts.htm (file missing) (HKCU)
O9 - Extra button: Standards - {EEFB7A5F-FE31-4BDD-841C-1C291E928609} - http://compuweb.comp...ers/default.htm (file missing) (HKCU)
O9 - Extra button: Webmail - {F0035C52-A157-4528-A2C7-3155D3D3908B} - https://webmail1.com...hange/logon.asp (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://compuweb.compuware.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb...es/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compuwaremc....bex/ieatgpc.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://aweb.nl.compu...ion/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54343B9-A8E1-412B-B111-0C6148BEA62C}: Domain = compuware.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WIN2K\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Test Management Server (TmSrvService) - Compuware Corporation - C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tmsrv.exe
  • 0

#7
Michelle
Posted 19 April 2005 - 12:40 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please print these instructions before continuing!!

Your infection requires various programs in order to fix. Please download the programs listed below, but do not run them yet:

1) About:Buster:
*Download it and extract it to C:/aboutbuster.
*Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
*Click "OK" at the prompt with instructions.
*Click "Update" and then "Check For Update" to begin the update process.
*If any updates exist please download them by clicking "Download Update".
*You should not run the program yet so click "Exit".
2) CleanUp! - Download it and install it.
3) CWShredder - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot in normal mode.

Post a new HijackThis log.
  • 0

#8
jaysin
Posted 19 April 2005 - 09:46 AM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey banana,
Here is the latest logfile.
When I ran CleanUp! it told me there were two files it couldn't clean until I rebooted. I rebooted and again went to safe mode, but I couldn't tell if CleanUp finished those last two off. I then continued.
That was the only step I had to vary from... everything else went smoothly.

Jaysin



Logfile of HijackThis v1.99.1
Scan saved at 11:40:00 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\mspmspsv.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WIN2K\system32\pctspk.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WIN2K\sysnf32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Compuware\cwaftrcsrv.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compuware Corporation
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D623E4CA-9FA0-D46F-69FF-3A509206DEB7} - C:\WIN2K\system32\javadw.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [USBPAD] UsbPad.exe Install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WIN2K\system32\netat32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [sysnf32.exe] C:\WIN2K\sysnf32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O4 - Global Startup: Test Execution Server.lnk = C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
O4 - Global Startup: USB KeyPad.lnk = C:\WIN2K\USBPad.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN2K\System32\Shdocvw.dll
O9 - Extra button: Phone Book - {AA0850BA-2281-4487-BB23-79CD86CD65F1} - http://compuapps1.co...jamorgchart.asp (file missing) (HKCU)
O9 - Extra button: Helpdesk - {E722A195-8277-4207-9DC0-5E9509DC3608} - http://compuweb.comp...lp/contacts.htm (file missing) (HKCU)
O9 - Extra button: Standards - {EEFB7A5F-FE31-4BDD-841C-1C291E928609} - http://compuweb.comp...ers/default.htm (file missing) (HKCU)
O9 - Extra button: Webmail - {F0035C52-A157-4528-A2C7-3155D3D3908B} - https://webmail1.com...hange/logon.asp (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://compuweb.compuware.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb...es/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compuwaremc....bex/ieatgpc.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://aweb.nl.compu...ion/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54343B9-A8E1-412B-B111-0C6148BEA62C}: Domain = compuware.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WIN2K\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Test Management Server (TmSrvService) - Compuware Corporation - C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tmsrv.exe
  • 0

#9
Michelle
Posted 19 April 2005 - 10:11 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Jaysin, I need you to go here:
http://www.thespykil...x.php?board=1.0

*Click on "New Topic"
*Put your name, e-mail address, and this as the title: "sysnf32.exe and netat32.exe"
*Put a link to this geeks to go topic in the description box.
*Click on the "More Attachments link"
*Then on the first box, click the "browse" button at the bottom, then navigate to this file:

C:\WIN2K\sysnf32.exe

*Press "Open".

*On the second box, click the "Browse" button, then navigate to this file:

C:\WIN2K\system32\netat32.exe

*Press "Open"
*Click post.

Thank you!
  • 0

#10
jaysin
Posted 19 April 2005 - 02:24 PM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Banana,
I couldn't find netat32.exe in my win2k/system32 dir.
I DO have a netet32.exe which is 0 Kb.
Should this be the second file I attach?
or just post with the one?

Jaysin
  • 0

Advertisements

#11
Michelle
Posted 19 April 2005 - 02:26 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go ahead and attached the netet32 as well.

Thank you! :tazz:
  • 0

#12
jaysin
Posted 19 April 2005 - 05:01 PM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
okay, posted.
  • 0

#13
Michelle
Posted 19 April 2005 - 05:06 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Thank you! I will work on what needs to be fixed next in your log and will be back asap! :tazz:
  • 0

#14
Michelle
Posted 19 April 2005 - 07:54 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Press CTRL ALT DELETE, click the Processes tab and end the following processes, if found:

sysnf32.exe

Exit Task Manager.

Go to Start > Control Panel > Add or Remove Programs and remove the following program:

180solutions

Exit Add/Remove programs.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following items, if found and click FIX CHECKED:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D623E4CA-9FA0-D46F-69FF-3A509206DEB7} - C:\WIN2K\system32\javadw.dll

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WIN2K\system32\netat32.exe
O4 - HKLM\..\Run: [sysnf32.exe] C:\WIN2K\sysnf32.exe

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb...es/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)

Reboot into Safe Mode and delete the following items, if found, (in bold):

C:\WIN2K\netcd32.exe
C:\WIN2K\sysnf32.exe
c:\program files\180solutions <-Folder
C:\WIN2K\system32\javadw.dll
C:\WIN2K\system32\netat32.exe (or netet32.exe)

Reboot into normal mode and post a new HiJackThis log.
  • 0

#15
jaysin
Posted 19 April 2005 - 09:12 PM

jaysin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
C:\WIN2K\sysnf32.exe and
C:\WIN2K\system32\netet32.exe
were the only files I found, and I couldn't delete
netet32.exe
It said that there was a sharing violation and that it was in use.

Here is my latest log.



Logfile of HijackThis v1.99.1
Scan saved at 10:50:32 PM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\mspmspsv.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WIN2K\system32\pctspk.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Common Files\Compuware\cwaftrcsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\oqzdd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\oqzdd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN2K\oqzdd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\oqzdd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\oqzdd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN2K\oqzdd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compuware Corporation
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {714822BE-B196-4088-FEDF-55AC5CE11995} - C:\WIN2K\system32\appff32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [USBPAD] UsbPad.exe Install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O4 - Global Startup: Test Execution Server.lnk = C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
O4 - Global Startup: USB KeyPad.lnk = C:\WIN2K\USBPad.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN2K\System32\Shdocvw.dll
O9 - Extra button: Phone Book - {AA0850BA-2281-4487-BB23-79CD86CD65F1} - http://compuapps1.co...jamorgchart.asp (file missing) (HKCU)
O9 - Extra button: Helpdesk - {E722A195-8277-4207-9DC0-5E9509DC3608} - http://compuweb.comp...lp/contacts.htm (file missing) (HKCU)
O9 - Extra button: Standards - {EEFB7A5F-FE31-4BDD-841C-1C291E928609} - http://compuweb.comp...ers/default.htm (file missing) (HKCU)
O9 - Extra button: Webmail - {F0035C52-A157-4528-A2C7-3155D3D3908B} - https://webmail1.com...hange/logon.asp (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://compuweb.compuware.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compuwaremc....bex/ieatgpc.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://aweb.nl.compu...ion/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54343B9-A8E1-412B-B111-0C6148BEA62C}: Domain = compuware.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WIN2K\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Test Management Server (TmSrvService) - Compuware Corporation - C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tmsrv.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP