Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Derbiz Spyware[RESOLVED]


  • This topic is locked This topic is locked

#1
hill1m

hill1m

    New Member

  • Member
  • Pip
  • 8 posts
Hi

Am having problems getting rid of Derbiz from my laptop. Also noticed that you have solved this for a number of people.

Could you please have a look at my HighjackThis log?

Thanks

Mark

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Personal Communications\pcsws.exe
C:\Program Files\Personal Communications\PCSCM.EXE
C:\Program Files\IBM\TACACS Client\TACACSClient.exe
C:\Program Files\SecureFX\SecureFX.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.greenock.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = uk.ibm.com;ibm.com;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 9.134.214.138 ibm-07m1u4ude2n # Docupit 2
O1 - Hosts: 9.134.214.140 ibm-5hrk97xc5qo # Docupit 1
O1 - Hosts: 9.134.214.137 DOCUPIT05 # Docupit 5
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemdk32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\perstray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com/
O16 - DPF: {5949E0BC-5CCE-4990-A794-956EC4E444CC} (Assesser Class) - http://testcontent.a...nt/Assesser.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3.ibm.com/to...lugin/gpwsx.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://129.35.72.8/v...tivexviewer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup141.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\c4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora91\bin\omtsreco.exe
O23 - Service: OracleOraHome91Agent - Oracle Corporation - c:\oracle\ora91\bin\agntsrvc.exe
O23 - Service: OracleOraHome91ClientCache - Unknown owner - c:\oracle\ora91\BIN\ONRSD.EXE
O23 - Service: OracleOraHome91HTTPServer - Unknown owner - c:\oracle\ora91\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome91ManagementServer - Unknown owner - C:\oracle\ora91\bin\OMSNTsrv.exe
O23 - Service: OracleOraHome91PagingServer - Unknown owner - c:\oracle\ora91/bin/pagntsrv.exe
O23 - Service: OracleOraHome91SNMPPeerEncapsulator - Unknown owner - c:\oracle\ora91\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome91SNMPPeerMasterAgent - Unknown owner - c:\oracle\ora91\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome91TNSListener - Unknown owner - c:\oracle\ora91\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMARK - Oracle Corporation - c:\oracle\ora91\bin\ORACLE.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Hi hill1m,

We will need to see the complete log including header.

Thanks,
  • 0

#3
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry missed this off when I copied and pasted.

Here it is in full.

Logfile of HijackThis v1.99.1
Scan saved at 14:08:13, on 03/05/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\c4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
c:\oracle\ora91\bin\omtsreco.exe
c:\oracle\ora91\bin\agntsrvc.exe
C:\WINNT\system32\cmd.exe
c:\oracle\ora91\bin\dbsnmp.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ICO.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\IBM\Infoprint Select\ipnotify.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\PerSono\perstray.exe
C:\notes\NLNOTES.EXE
C:\Program Files\Lotus\SameTime Client\Connect.exe
C:\notes\ntaskldr.EXE
C:\notes\nNOTESMM.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Personal Communications\pcsws.exe
C:\Program Files\Personal Communications\PCSCM.EXE
C:\Program Files\IBM\TACACS Client\TACACSClient.exe
C:\Program Files\SecureFX\SecureFX.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Mark's Documents\Stuff\AntiVirus\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.greenock.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = uk.ibm.com;ibm.com;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 9.134.214.138 ibm-07m1u4ude2n # Docupit 2
O1 - Hosts: 9.134.214.140 ibm-5hrk97xc5qo # Docupit 1
O1 - Hosts: 9.134.214.137 DOCUPIT05 # Docupit 5
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemdk32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\perstray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com/
O16 - DPF: {5949E0BC-5CCE-4990-A794-956EC4E444CC} (Assesser Class) - http://testcontent.a...nt/Assesser.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3.ibm.com/to...lugin/gpwsx.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://129.35.72.8/v...tivexviewer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup141.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\c4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora91\bin\omtsreco.exe
O23 - Service: OracleOraHome91Agent - Oracle Corporation - c:\oracle\ora91\bin\agntsrvc.exe
O23 - Service: OracleOraHome91ClientCache - Unknown owner - c:\oracle\ora91\BIN\ONRSD.EXE
O23 - Service: OracleOraHome91HTTPServer - Unknown owner - c:\oracle\ora91\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome91ManagementServer - Unknown owner - C:\oracle\ora91\bin\OMSNTsrv.exe
O23 - Service: OracleOraHome91PagingServer - Unknown owner - c:\oracle\ora91/bin/pagntsrv.exe
O23 - Service: OracleOraHome91SNMPPeerEncapsulator - Unknown owner - c:\oracle\ora91\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome91SNMPPeerMasterAgent - Unknown owner - c:\oracle\ora91\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome91TNSListener - Unknown owner - c:\oracle\ora91\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMARK - Oracle Corporation - c:\oracle\ora91\bin\ORACLE.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
I still can only find the installer. Not the dialer itself.

Please try if this is enough.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Paste the line below as the "Path to File to delete"
C:\winnt\system32\elitemdk32.exe

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemdk32.exe

Reboot once more and post a new HijackThis log.

Regards,
  • 0

#5
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks very much for this.

New HJL:

Logfile of HijackThis v1.99.1
Scan saved at 14:39:28, on 03/05/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\c4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
c:\oracle\ora91\bin\omtsreco.exe
c:\oracle\ora91\bin\agntsrvc.exe
C:\WINNT\system32\cmd.exe
c:\oracle\ora91\bin\dbsnmp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ICO.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\IBM\Infoprint Select\ipnotify.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\PerSono\perstray.exe
C:\Mark's Documents\Stuff\AntiVirus\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.greenock.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = uk.ibm.com;ibm.com;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 9.134.214.138 ibm-07m1u4ude2n # Docupit 2
O1 - Hosts: 9.134.214.140 ibm-5hrk97xc5qo # Docupit 1
O1 - Hosts: 9.134.214.137 DOCUPIT05 # Docupit 5
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemdk32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\perstray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com/
O16 - DPF: {5949E0BC-5CCE-4990-A794-956EC4E444CC} (Assesser Class) - http://testcontent.a...nt/Assesser.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3.ibm.com/to...lugin/gpwsx.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://129.35.72.8/v...tivexviewer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup141.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\c4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora91\bin\omtsreco.exe
O23 - Service: OracleOraHome91Agent - Oracle Corporation - c:\oracle\ora91\bin\agntsrvc.exe
O23 - Service: OracleOraHome91ClientCache - Unknown owner - c:\oracle\ora91\BIN\ONRSD.EXE
O23 - Service: OracleOraHome91HTTPServer - Unknown owner - c:\oracle\ora91\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome91ManagementServer - Unknown owner - C:\oracle\ora91\bin\OMSNTsrv.exe
O23 - Service: OracleOraHome91PagingServer - Unknown owner - c:\oracle\ora91/bin/pagntsrv.exe
O23 - Service: OracleOraHome91SNMPPeerEncapsulator - Unknown owner - c:\oracle\ora91\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome91SNMPPeerMasterAgent - Unknown owner - c:\oracle\ora91\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome91TNSListener - Unknown owner - c:\oracle\ora91\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMARK - Oracle Corporation - c:\oracle\ora91\bin\ORACLE.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


PS. Am still getting a load of popups when I re-boot
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Copy the part in bold below into notepad and save it as noASD.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableAutodial" = "0"

[-HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"checkrun"=-


Doubleclick that file and confirm you want to merge it with the registry.
Then reboot and post a new log.

Regards,
  • 0

#7
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Completed all steps suggested. Thanks again for your time.

No sign of Derbiz. However still getting popups after re-boot though.

New hjl :

Logfile of HijackThis v1.99.1
Scan saved at 15:15:03, on 03/05/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\c4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
c:\oracle\ora91\bin\omtsreco.exe
c:\oracle\ora91\bin\agntsrvc.exe
C:\WINNT\system32\cmd.exe
c:\oracle\ora91\bin\dbsnmp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ICO.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\IBM\Infoprint Select\ipnotify.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Mark's Documents\Stuff\AntiVirus\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.greenock.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = uk.ibm.com;ibm.com;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.ibm.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 9.134.214.138 ibm-07m1u4ude2n # Docupit 2
O1 - Hosts: 9.134.214.140 ibm-5hrk97xc5qo # Docupit 1
O1 - Hosts: 9.134.214.137 DOCUPIT05 # Docupit 5
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemdk32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\perstray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com/
O16 - DPF: {5949E0BC-5CCE-4990-A794-956EC4E444CC} (Assesser Class) - http://testcontent.a...nt/Assesser.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3.ibm.com/to...lugin/gpwsx.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://129.35.72.8/v...tivexviewer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup141.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\c4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora91\bin\omtsreco.exe
O23 - Service: OracleOraHome91Agent - Oracle Corporation - c:\oracle\ora91\bin\agntsrvc.exe
O23 - Service: OracleOraHome91ClientCache - Unknown owner - c:\oracle\ora91\BIN\ONRSD.EXE
O23 - Service: OracleOraHome91HTTPServer - Unknown owner - c:\oracle\ora91\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome91ManagementServer - Unknown owner - C:\oracle\ora91\bin\OMSNTsrv.exe
O23 - Service: OracleOraHome91PagingServer - Unknown owner - c:\oracle\ora91/bin/pagntsrv.exe
O23 - Service: OracleOraHome91SNMPPeerEncapsulator - Unknown owner - c:\oracle\ora91\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome91SNMPPeerMasterAgent - Unknown owner - c:\oracle\ora91\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome91TNSListener - Unknown owner - c:\oracle\ora91\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMARK - Oracle Corporation - c:\oracle\ora91\bin\ORACLE.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Is there something running on that computer that guards settings such as startups?

We have now tried to remove the checkrun startup twice in two different ways and it's still there.

Download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode and run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,
  • 0

#9
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hi Peiter

Have completed this and resulting log is below:

C:\Documents and Settings\Administrator\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\msbb321.dll: UPX!
C:\WINNT\system32\eliteabh32.exe: FSG!
C:\WINNT\system32\elitebdc32.exe: FSG!
C:\WINNT\system32\elitebdm32.exe: FSG!
C:\WINNT\system32\elitebfv32.exe: FSG!
C:\WINNT\system32\elitebud32.exe: FSG!
C:\WINNT\system32\elitedpb32.exe: FSG!
C:\WINNT\system32\elitefoi32.exe: FSG!
C:\WINNT\system32\elitehxs32.exe: FSG!
C:\WINNT\system32\elitelvj32.exe: FSG!
C:\WINNT\system32\elitemdk32.exe: FSG!
C:\WINNT\system32\elitemop32.exe: FSG!
C:\WINNT\system32\elitenrv32.exe: FSG!
C:\WINNT\system32\eliterwr32.exe: FSG!
C:\WINNT\system32\eliteskt32.exe: FSG!
C:\WINNT\system32\elitevba32.exe: FSG!
C:\WINNT\system32\elitewvt32.exe: FSG!
C:\WINNT\system32\elitewym32.exe: FSG!
C:\WINNT\system32\elitexlp32.exe: FSG!
C:\WINNT\system32\elitezhb32.exe: FSG!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\NTL7W32.exe: UPX!
Finished
bye


Cheers
  • 0

#10
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Pieter

Have got Microsoft Antispyware / AdAware / Spyware Blaster as well as Norton.

Is ther anymore info that you may require?

Cheers

Mark
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
That's a nice collection of Elitebar files. They must be running out of ideas by now. :tazz:

Before you follow the instructions below, surf to http://www.kaspersky.com/scanforvirus and have this file scanned:
C:\WINNT\NTL7W32.exe
If it is identified as bad copy the results and post them later, then continue.
If it i said to be OK remove it from the llist of files to be deleted by Killbox below (it's the last one).

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\msbb321.dll
C:\WINNT\system32\eliteabh32.exe
C:\WINNT\system32\elitebdc32.exe
C:\WINNT\system32\elitebdm32.exe
C:\WINNT\system32\elitebfv32.exe
C:\WINNT\system32\elitebud32.exe
C:\WINNT\system32\elitedpb32.exe
C:\WINNT\system32\elitefoi32.exe
C:\WINNT\system32\elitehxs32.exe
C:\WINNT\system32\elitelvj32.exe
C:\WINNT\system32\elitemdk32.exe
C:\WINNT\system32\elitemop32.exe
C:\WINNT\system32\elitenrv32.exe
C:\WINNT\system32\eliterwr32.exe
C:\WINNT\system32\eliteskt32.exe
C:\WINNT\system32\elitevba32.exe
C:\WINNT\system32\elitewvt32.exe
C:\WINNT\system32\elitewym32.exe
C:\WINNT\system32\elitexlp32.exe
C:\WINNT\system32\elitezhb32.exe
C:\WINNT\NTL7W32.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Let me know,
  • 0

#12
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
EXCELLENT !!!!!!!! :tazz: ;)

So far so good. My first boot-up in a long time that doesn't erquire me closing a load of popup windows.

Thanks you very much for your help and time.

Cheers

Mark
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Glad to hear that. :tazz:

Please do have a look at my site about removing and preventing spyware.

And you owe me the scanresults for: C:\WINNT\NTL7W32.exe

Regards,
  • 0

#14
hill1m

hill1m

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Pieter

Sorry was so excited about getting this clean forgot to mention that the file was scaned clean and was not bad.

I removed it anyway and everything seems fine.

Thanks again for all your help.

Will have a look at your site today and see what else I can do to prevent anything else happening.

Thanks, really appreciate your time.

Cheers

Mark
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
My pleassure. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP