Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Request help w/Aurora- Nail virus (resolved)


  • This topic is locked This topic is locked

#1
andy1210

andy1210

    Member

  • Member
  • PipPip
  • 14 posts
Hello, I'm a bit new to this and read your instructions. Have run both Ad Aware and Spybot and can't permanently get rid of the Aurora / Nail virus. I have also downloaded Hijack This.

Thx inadvance for your help
  • 0

Advertisements


#2
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:11 PM, on 05/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINNT\System32\GSMedia3.exe
C:\DOCUME~1\amartino\LOCALS~1\Temp\bundle.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\??rss.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\amartino\Application Data\oose.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\WINNT\System32\HPZipm12.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\System32\amskey.exe
C:\WINNT\System32\atrclass.exe
c:\winnt\system32\lvwvhxa.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\naldaemn.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\Documents and Settings\amartino\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://my.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {28CF9A7C-0A91-7E48-986F-5CA7113DC4C3} - C:\WINNT\System32\qyj.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\System32\nsxB3.dll (file missing)
O2 - BHO: (no name) - {B8691E07-D490-F31D-E068-F97AE0B30DC4} - C:\WINNT\System32\ianghzn.dll (file missing)
O2 - BHO: (no name) - {C0CC642F-F098-881B-980D-AFC816F92A90} - C:\WINNT\System32\evla.dll
O2 - BHO: (no name) - {C5CC6029-F0EE-8A69-980D-DAC81B8F2A95} - C:\WINNT\System32\evla.dll
O2 - BHO: (no name) - {E916F02E-38CE-131C-CED6-378192B059C2} - C:\WINNT\System32\ehqgpo.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [vbbUyIMHA.exe] C:\documents and settings\amartino\local settings\temp\vbbUyIMHA.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSoft1] C:\WINNT\System32\psoft1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [G3] C:\WINNT\System32\GSMedia3.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3s6P3Fl] atrclass.exe
O4 - HKLM\..\Run: [idxlzo] c:\winnt\system32\lvwvhxa.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\amartino\LOCALS~1\Temp\bundle.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Sxuj] C:\WINNT\System32\??rss.exe
O4 - HKCU\..\Run: [Odea] C:\Documents and Settings\amartino\Application Data\bbsr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [Cpqasawg] C:\WINNT\System32\wuaclt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IBpFRPJ9U] amskey.exe
O4 - HKCU\..\Run: [Wtpm] C:\Documents and Settings\amartino\Application Data\oose.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: NameServer = 10.10.61.91,10.9.167.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Pls advise what I should do next. Thx again
  • 0

#3
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

Welcome to Geeks2go,

We have quite a bit of work to do on your Log so bear with me.

Please print out a copy of these instructions so that they are easy to follow and so that you have access to them, when you have to reboot your PC

Next we need to download several programs. Do not run any of the programs until instructed to do so and follow the sequence of the instructions.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you may see one or more instances of c:\winnt\system32\calsp.dll.
5. Select every instance of c:\winnt\system32\calsp.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

I would like you to carry out the following free on-line virus scan and follow their instructions on removal of anything that it may find. Enter your name, for company type anything you loike, and add your email address.

Kaspersky

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next please download the following two programs. Install them and update them both. Do not run them yet.

Spybot Search and Destroy 1.3

Ad-aware S E 1.5

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Run the SPYBOT and Adaware programs you downloaded earlier and fix anything that they find.

Then please run Ewido, double click on the new icon for the program. You can't miss it, it's a big yellow E. It will ask you to upgrade the database. Follow the instructions.
Once it is ready click on the Scanner button, Select C drive if you have more than one and then start.

grab a cup of coffee, sandwiches, book and sleeping bag as this will take some time. :tazz: Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Reboot your PC normally.

Rescan your PC with HJT and post the log in this thread together with the ewido report.
  • 0

#4
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK, I did everything you described and I want to thank you again for all your help. If I end up being able to overcome this I'm going to be nothing short of ecstatic.

- I ran the LSPFix.exe but it didn't pick up any instance of C:\winnt\system32\calsp.dll.
- I downloaded and ran Kaspersky
- I downloaded ewido- did NOT run until later in SafeMode
- I already had both Spybot and Ad-aware downloade on my PC.
- I created the remove.bat file in Notepad onto my desktop, but for some reason when in Safe Mode, it didn't show the bat file on my Desktop, so I created it again in SafeMode by typing it in Notepad. I hope it was OK to do that.
- I clicked on the remove.bat and it ran as expected.
- I ran CWSShredder in SafeMode and it did pick up something
- I ran Spybot and fixed what it could. It told me of 42 problems that could not be fixed. Spybot runs automatically on my machine when I boot up and when rebooting (out of SafeMode) it looks like it found all 42 again and was able to successfully delete them.
- I ran Adaware in SafeMode and it successfully deleted everything it found.
- I ran Ewido in SafeMode and it found stuff also.

Attached is the HJT and Ewido logs. Pls advise what I should do next and THANKS again.

Logfile of HijackThis v1.99.1
Scan saved at 12:29:03 PM, on 05/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\atrclass.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\System32\GSMedia3.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\amartino\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://my.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
O2 - BHO: (no name) - {28CF9A7C-0A91-7E48-986F-5CA7113DC4C3} - C:\WINNT\System32\qyj.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\System32\nsxB3.dll (file missing)
O2 - BHO: (no name) - {B8691E07-D490-F31D-E068-F97AE0B30DC4} - C:\WINNT\System32\ianghzn.dll (file missing)
O2 - BHO: (no name) - {C0CC642F-F098-881B-980D-AFC816F92A90} - C:\WINNT\System32\evla.dll (file missing)
O2 - BHO: (no name) - {C5CC6029-F0EE-8A69-980D-DAC81B8F2A95} - C:\WINNT\System32\evla.dll (file missing)
O2 - BHO: (no name) - {E916F02E-38CE-131C-CED6-378192B059C2} - C:\WINNT\System32\ehqgpo.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [vbbUyIMHA.exe] C:\documents and settings\amartino\local settings\temp\vbbUyIMHA.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSoft1] C:\WINNT\System32\psoft1.exe
O4 - HKLM\..\Run: [3s6P3Fl] atrclass.exe
O4 - HKLM\..\Run: [GMedia2] C:\WINNT\System32\GSMedia3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Sxuj] C:\WINNT\System32\??rss.exe
O4 - HKCU\..\Run: [Odea] C:\Documents and Settings\amartino\Application Data\bbsr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [Cpqasawg] C:\WINNT\System32\wuaclt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IBpFRPJ9U] amskey.exe
O4 - HKCU\..\Run: [Wtpm] C:\Documents and Settings\amartino\Application Data\oose.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: NameServer = 10.10.61.91,10.9.167.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:17:15 PM, 5/6/2005
+ Report-Checksum: A2906F97

+ Date of database: 5/6/2005
+ Version of scan engine: v3.0

+ Duration: 41 min
+ Scanned Files: 89571
+ Speed: 35.75 Files/Second
+ Infected files: 100
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 99

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Error during cleaning
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay.j -> Error during cleaning
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay.j -> Error during cleaning
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL -> Spyware.MyWay.j -> Error during cleaning
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Error during cleaning
C:\windows\bundles\shopinst.exe -> TrojanDownloader.Small.wj -> Error during cleaning
C:\windows\bundles\thinadvolt.exe.tcf -> Spyware.BetterInternet -> Error during cleaning
C:\WINNT\180axau.dat -> Spyware.Istbar -> Error during cleaning
C:\WINNT\Bolger.dll.tcf -> Spyware.BetterInternet -> Error during cleaning
C:\WINNT\Bolger.dll4371.tcf -> Spyware.BetterInternet -> Error during cleaning
C:\WINNT\bsx32\ADTMI1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ADVC5.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIG21943.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIH7853.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASII21469.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIL18549.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIR21184.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIS24110.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIS31590.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIT26116.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIW11211.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\ASIWS3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\BID1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\CARS3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\DATE4.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\EML1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\FAST1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\FINC3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\FINC5.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\FLWR1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\HERBS1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\INK1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\JOBS4.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\MOVS2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\NEWS2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\SHOP2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\TECH2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\UTONE2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\cfgmgr51.dll -> Spyware.BookedSpace -> Error during cleaning
C:\WINNT\Downloaded Program Files\actsetup.dll -> Trojan.Small.i -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx.tcf -> Spyware.MediaTickets.f -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.1\rdgUS10.exe.tcf -> Dialer.Generic -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.2\rdgUS10.exe.tcf -> Dialer.Generic -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.3\rdgUS10.exe.tcf -> Dialer.Generic -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.5\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.6\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.7\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.8\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\CONFLICT.9\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\HDPlugin1019.dll -> Spyware.Gator.1019 -> Error during cleaning
C:\WINNT\Downloaded Program Files\lsp_.dll -> Spyware.Sahat.f -> Error during cleaning
C:\WINNT\Downloaded Program Files\rdgUS10.exe.tcf -> Dialer.Generic -> Error during cleaning
C:\WINNT\Downloaded Program Files\SAHAgent_.exe -> Spyware.Sahat.f -> Error during cleaning
C:\WINNT\Downloaded Program Files\SahHtml_.exe -> Spyware.Sahat.f -> Error during cleaning
C:\WINNT\Downloaded Program Files\SAHUninstall_.exe -> Spyware.Sahat.f -> Error during cleaning
C:\WINNT\Downloaded Program Files\WEBInstaller.dll -> Spyware.SAHA -> Error during cleaning
C:\WINNT\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar.gp -> Error during cleaning
C:\WINNT\mstasks2.exe -> Trojan.Qhost.n -> Error during cleaning
C:\WINNT\mstasks3.exe -> Trojan.Qhost.n -> Error during cleaning
C:\WINNT\multimpp.dll -> Spyware.BiSpy.t -> Error during cleaning
C:\WINNT\systb.exe.tcf -> Trojan.Imiserv.c -> Error during cleaning
C:\WINNT\system32\bap.exe.tcf -> Spyware.WinAD.b -> Error during cleaning
C:\WINNT\system32\Cache\cxtpls_loader.exe.tcf -> Spyware.Apropos.b -> Error during cleaning
C:\WINNT\system32\carules.dll -> Spyware.CouponAge -> Error during cleaning
C:\WINNT\system32\cntpux.exe.tcf -> Trojan.Agent.cp -> Error during cleaning
C:\WINNT\system32\fgrydqx.exe.tcf -> Trojan.Agent.cp -> Error during cleaning
C:\WINNT\system32\jiibze.exe.tcf -> Trojan.Agent.cp -> Error during cleaning
C:\WINNT\system32\mac80ex.idf/C:/WINNT/System32/msbe.dll -> Spyware.BargainBuddy.i -> Error during cleaning
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/bargains.exe -> Spyware.Bargainbuddy -> Error during cleaning
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.Bargainbuddy -> Error during cleaning
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.Bargainbuddy -> Error during cleaning
C:\WINNT\system32\msedpb.exe -> Trojan.Small.i -> Error during cleaning
C:\WINNT\system32\msnimk.gif -> Spyware.Ipend -> Error during cleaning
C:\WINNT\system32\prj.dll -> Spyware.PurityScan.ak -> Error during cleaning
C:\WINNT\system32\psis80ex.ax/C:/WINNT/System32/mscb.dll -> Spyware.BargainBuddy.i -> Error during cleaning
C:\WINNT\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy.j -> Error during cleaning
C:\WINNT\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.BargainBuddy.j -> Error during cleaning
C:\WINNT\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.BargainBuddy.j -> Error during cleaning
C:\WINNT\system32\saieau.dat -> Spyware.Istbar -> Error during cleaning
C:\WINNT\system32\sicon.dll -> Spyware.AdURL.a -> Error during cleaning
C:\WINNT\system32\tctsfb.exe.tcf -> Trojan.Agent.cp -> Error during cleaning
C:\WINNT\system32\zhvqs.dll.tcf -> Spyware.Adstart.c -> Error during cleaning
C:\WINNT\Temp\bw.exe -> TrojanDownloader.Wren.d -> Cleaned with backup
C:\WINNT\wt\wtvh.dll -> Spyware.WildTangent.b -> Error during cleaning


::Report End
  • 0

#5
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi andy,

As you can see these infections can be difficult to eradicate and sometimes need hiting a few times.

Carry out a free onlive virus scan from the following link

Panda Active Scan

Rerun CWshredder (PC in normal mode)

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINNT\System32\GSMedia3.exe
C:\WINNT\System32\atrclass.exe


Exit the Task Manager

Rescan with HJT and check the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dctza.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
O2 - BHO: (no name) - {28CF9A7C-0A91-7E48-986F-5CA7113DC4C3} - C:\WINNT\System32\qyj.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\System32\nsxB3.dll (file missing)
O2 - BHO: (no name) - {B8691E07-D490-F31D-E068-F97AE0B30DC4} - C:\WINNT\System32\ianghzn.dll (file missing)
O2 - BHO: (no name) - {C0CC642F-F098-881B-980D-AFC816F92A90} - C:\WINNT\System32\evla.dll (file missing)
O2 - BHO: (no name) - {C5CC6029-F0EE-8A69-980D-DAC81B8F2A95} - C:\WINNT\System32\evla.dll (file missing)
O2 - BHO: (no name) - {E916F02E-38CE-131C-CED6-378192B059C2} - C:\WINNT\System32\ehqgpo.dll (file missing)
O4 - HKLM\..\Run: [vbbUyIMHA.exe] C:\documents and settings\amartino\local settings\temp\vbbUyIMHA.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [PSoft1] C:\WINNT\System32\psoft1.exe
O4 - HKLM\..\Run: [3s6P3Fl] atrclass.exe
O4 - HKLM\..\Run: [GMedia2] C:\WINNT\System32\GSMedia3.exe
O4 - HKCU\..\Run: [Sxuj] C:\WINNT\System32\??rss.exe
O4 - HKCU\..\Run: [Odea] C:\Documents and Settings\amartino\Application Data\bbsr.exe
O4 - HKCU\..\Run: [Cpqasawg] C:\WINNT\System32\wuaclt.exe
O4 - HKCU\..\Run: [IBpFRPJ9U] amskey.exe
O4 - HKCU\..\Run: [Wtpm] C:\Documents and Settings\amartino\Application Data\oose.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)


Ensure no windows open and click FIX CHECKED.

Download the following program.

Download Pocket Killbox and unzip it; save it to your Desktop.

Set up PC to show hidden files

Rebot into SAFE MODE and using windows explorer locate and delete the following files/folders.

C:\WINNT\System32\qyj.dll
C:\WINNT\Bolger.dll
C:\WINNT\System32\nsxB3.dll
C:\WINNT\System32\ianghzn.dll
C:\WINNT\System32\evla.dll
C:\WINNT\System32\evla.dll
C:\WINNT\System32\ehqgpo.dll
C:\documents and settings\amartino\local settings\temp\vbbUyIMHA.exe
C:\WINNT\System32\psoft1.exe
C:\WINNT\System32\GSMedia3.exe
C:\WINNT\System32\??rss.exe
C:\Documents and Settings\amartino\Application Data\bbsr.exe
C:\WINNT\System32\wuaclt.exe
C:\Documents and Settings\amartino\Application Data\oose.exe
C:\WINNT\System32\maxspeed.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINNT\svcproc.exe


Now double click on killbox on your desktop, double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINNT\System32\qyj.dll
C:\WINNT\Bolger.dll
C:\WINNT\System32\nsxB3.dll
C:\WINNT\System32\ianghzn.dll
C:\WINNT\System32\evla.dll
C:\WINNT\System32\evla.dll
C:\WINNT\System32\ehqgpo.dll
C:\documents and settings\amartino\local settings\temp\vbbUyIMHA.exe
C:\WINNT\System32\psoft1.exe
C:\WINNT\System32\GSMedia3.exe
C:\WINNT\System32\??rss.exe
C:\Documents and Settings\amartino\Application Data\bbsr.exe
C:\WINNT\System32\wuaclt.exe
C:\Documents and Settings\amartino\Application Data\oose.exe
C:\WINNT\System32\maxspeed.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINNT\svcproc.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

Run ewido program once more (PC in normal mode)

Copy the file it creates to post back

Rescan with HJT and post the log back.

I also need to know if you recognise the following

[b]Marimba\CASTAN
metlife.com
SISD\STMeetingRoom
SISD\STBroadcastClien
  • 0

#6
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again. Sorry it took me a while to get back but I've been running into problems when attempting to do the things you instructed in the last note.

Here's how far I got:

- Tried to download Panda Active Scan and got a message that the Browser was not supported. I use FireFox primarily and MS IE for work when I have to. I launched MS IE and tried to download Panda again and that time it worked. It ran and as far as I could tell successfully deleted files it detected.

- Successfully reran CWShredder

- Successfully deleted the 2 processes you listed from my task mgr.

- I reran HJT and checked/deleted the entries you listed. I could not find 4 out of 38 of them. Hoping the were already deleted in some other process we ran previously??

- In Safe Mode I tried to delete the files you listed. Most weren't in Explorer and for some reason the ones that were I was unable to delete getting a message that Access was Denied. I'm not sure if this may be the cause of the problem, but in order for me to enter Safe Mode, I needed to create a Local ID on my PC. It is this local ID that I use to sign onto my PC when using Safe Mode. Is it possible that's the reason it won't let me delete the files there? I went back to normal mode and was able to successfully delete the files there without getting the Access Denied message.

- I downloaded Pocket Killbox and saved to Desktop, but again when in Safe Mode, it doesn't show on the desktop for some reason. As a workaround, I saved the killbox.exe to my C drive and tried launching it there while in Safe Mode. I found it there this time, but again, I got an Access Denied message. (very frustrating!!). I went back in normal mode and was able to run Killbox. I only found 1 of the 18 files you listed though. It did successfully delete that one.

- I tried running Ewido again, this time in normal mode as you instructed. I tried twice and about two thirds of the way I get an error message and it wants to shut it down. I'm not sure if this is what's causing the problem but I noticed that my McAfee virus scan goes off in the middle of Ewido running. It seems like it is picking up the same viruses Ewido is detecting and trying to quaranteen??

I tried pasting the the McAfee log that generated while Ewido was about 2/3's complete but it's too big to post.




[B]Finally, I ran HJT and here's the log. I'm trying real hard but am not sure how much progress I made today. Hopefully you'll have some advice of how to overcome these trip ups I've come across. THANKS again.


Logfile of HijackThis v1.99.1
Scan saved at 6:38:12 PM, on 05/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\amartino\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://my.metlife.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: NameServer = 10.10.61.91,10.9.167.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
  • 0

#7
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

I STILL need to know if you recognise the following

Marimba\CASTAN
metlife.com
SISD\STMeetingRoom
SISD\STBroadcastClient


Signing in with another identity in safe mode could cause difficulties, does that account have administrator priviledges. The problems appear to be in your main account and not your safe mode id.

Check Add/Remove in control panel

If any of the following are present remove them.

My search
conflict
bargain buddy


Download the following programs.

Cleanup
Download about:buster by RubbeRDuckY Here.
Download SpSeHjfix Here.

Save all of these files somewhere you will remember

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan . Type in your name, for company type anything you like and add your email address. or if that doesnt work, you can use BitDefender. (Please post the results of the scan(s) in your next reply)

Download the following program.

Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

Disconnect from the internet, disable your antivirus and try to run ewido again, saving the log.

Then reactivate your antivirus.

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck
  • 0

#8
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi! Sorry- forgot to tell you about the 4 filesyou asked about...

Marimba\CASTAN
metlife.com
SISD\STMeetingRoom
SISD\STBroadcastClient

The first 2 are legitimate. Marimba Castanet Tuner is the software used by my company to send security updates and software installations remotely (without having to drive 70 miles!) and MetLife is my employer

I can't say I recognize SISD\STMeetingRoom or SISD\STBroadcastClient. Once in a great while we have mtgs on the internet which I vaguely remember involving an initial configuration but am not sure if that has anything to do with the last 2 entries.

Regarding signing in to SafeMode with a local ID I created: I originally tried going into SafeMode using my regular ID and it didn't recognize my normal user ID and password. I contacted my techie support guy and he said it was because my normal ID only works 'within the domain it was created for' and that I was in a different domain when in SafeMode. He said it shouldn't be a problem and told me how to create a local ID. I do have admin rights to my PC. I wonder however, if I have admin rights to the local ID or not and whether there is some kind of setting that needs to be checked to give myself admin rights to that ID.

I wanted to get back to you with that info first and will now run all the other instructions you listed.
  • 0

#9
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again. Here's an update:

- Didn't find any of the 3 files in your list on Add/Remove.
- Downloaded Cleanup, buster and SPSeHjfix, updated SPSeHjfix and CW Shredder
- Was not able to run buster or SPSeHjfix in SafeMode. Looks like I don't have admin rights in SafeMode even though I have full admin rights in Normal Mode- VERY strange.
- Ran CWShreeder in SafeMode and it removed CWS.JkSearch
-Ran SPSeHjfix in Normal Mode. Here's the log:



(5/7/05 1:46:35 PM) SPSeHjFix started v1.1.2
(5/7/05 1:46:35 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/7/05 1:46:35 PM) Language: english
(5/7/05 1:46:35 PM) Win-Path: C:\WINNT
(5/7/05 1:46:35 PM) System-Path: C:\WINNT\System32
(5/7/05 1:46:35 PM) Temp-Path: C:\DOCUME~1\amartino\LOCALS~1\Temp\
(5/7/05 1:46:38 PM) Disinfection started
(5/7/05 1:46:38 PM) Bad-Dll(IEP): (not found)
(5/7/05 1:46:38 PM) Bad-Dll(IEP) in BHO: (not found)
(5/7/05 1:46:38 PM) UBF: 7 - UBB: 0 - UBR: 15
(5/7/05 1:46:38 PM) UBF: 7 - UBB: 0 - UBR: 15
(5/7/05 1:46:38 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(5/7/05 1:46:38 PM) Stealth-String not found
(5/7/05 1:46:38 PM) Not infected->END

- Ran Cleanup successfully.

- I tried to run Kaspersky in normal mode. It ran continuouisly for 9-1/2 hours and wasn't even 10% finished so I stopped it.

- Downloaded Silent Runners. Here's the log:


"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINNT\System32\ctfmon.exe" [MS]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ForbesInvesting" = "C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe" [file not found]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"SpybotSnD" = ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck" ["Safer Networking Limited"]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" [file not found]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINNT\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "ckpginashim.dll" ["Check Point Software Technologies"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! ckpNotify\DLLName = "ckpNotify.dll" ["Check Point Software Technologies"]
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\amartino\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "amartino" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\amartino\Start Menu\Programs\Startup
"Microsoft Office Shortcut Bar" -> shortcut to: "C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"dbAdhocBatch" -> launches: "C:\DDM FILES\dbAdhocBatch.bat" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Castanet Tuner 4.6, Marimba, "C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe" ["Marimba, Inc."]
Check Point SecuRemote Service, SR_Service, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"" ["Check Point Software Technologies"]
Check Point SecuRemote WatchDog, SR_WatchDog, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"" ["Check Point Software Technologies"]
DameWare Mini Remote Control, DWMRCS, "C:\WINNT\SYSTEM32\DWRCS.EXE -service" ["DameWare Development LLC"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."]
Remote User Service, RemoteUser, "C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

- Tried to disable McAfee Virus scan. Was not able to (options were greyed out??).
- Ran Ewido anyway and although McAfee did trigger again while Ewido was running, it didn't prevent Ewido from completing this time. Ewido successfully cleaned 13 infected files.

Finally, here's the latest HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 7:56:25 PM, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\amartino\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://my.metlife.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ANDY,

Here we go again, Next round.

Firstly, you need to create a new folder (for example C\HJT) and install HJT into that folder and run it from there, so that it can create backups if required.

Rescan with HJT and check the following

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)


Also as neither you nor I know what the following are i would also suggest removal. If they are as you may think something to do with meetings once in a while, they could always be reconfigured if needed.

All the 016 relating to C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD<-----There are 6 of them in all.

Reboot into SAFE MODE and delete the following

C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD <--entire folder

Try to get any of the following on-line anti virus scans to run

F-secure

Trend

Bitdefender

Rescan with HJT and post the log back and let me know the results from virus scans
  • 0

Advertisements


#11
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

- I checked and deleted the 10 HJT entries you listed.
- When in SafeMode, the file listed under the Documents and Settings folder was not there to delete.
- GOOD NEWS: While going into SafeMode I noticed that there was 2 types of SafeMode to enter. When choosing SafeMode w/networking, I found that I was able to log on using my regular ID / psswd and not the Local ID I created earlier. Because of this, I have Admin Rights in SafeMode now so I went ahead and ran the virus software you mentioned in the last note: Buster, CW Shredder and SpSeHjfix.

Here's the Buster logfile run in SafeMode:


Scanned at: 7:24:38 PM on: 05/09/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINNT\Gmkqrnvbna.qdi:hzuir
C:\WINNT\IM4.STY:dtqgh
C:\WINNT\sysres.vbs:yuuyt


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINNT\Gmkqrnvbna.qdi:hzuir
C:\WINNT\IM4.STY:dtqgh
C:\WINNT\sysres.vbs:yuuyt


Attempted Clean Of Temp folder.
Pages Reset... Done!


Here's the SPSeHjfix run in SafeMode:


(5/9/05 7:44:01 PM) SPSeHjFix started v1.1.2
(5/9/05 7:44:01 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/9/05 7:44:01 PM) Language: english
(5/9/05 7:44:01 PM) Win-Path: C:\WINNT
(5/9/05 7:44:01 PM) System-Path: C:\WINNT\System32
(5/9/05 7:44:01 PM) Temp-Path: C:\DOCUME~1\amartino\LOCALS~1\Temp\
(5/9/05 7:44:02 PM) Disinfection started
(5/9/05 7:44:02 PM) Bad-Dll(IEP): (not found)
(5/9/05 7:44:02 PM) Bad-Dll(IEP) in BHO: (not found)
(5/9/05 7:44:02 PM) UBF: 7 - UBB: 0 - UBR: 15
(5/9/05 7:44:02 PM) UBF: 7 - UBB: 0 - UBR: 15
(5/9/05 7:44:02 PM) Bad IE-pages: (none)
(5/9/05 7:44:02 PM) Stealth-String not found
(5/9/05 7:44:02 PM) Not infected->END


I ran F-secure which said the following 4 files were still infected:

C:\EXACT.exe Trojan.Win32.Qhost.bi

C:\windows\bundles\SSK_B5.EXE Trojan-Dropper.Win32.SurfSide.a

C:\WINNT\Downloaded Program Files\auto.exe Trojan.Win32.Dialer.fq

C:\WINNT\Downloaded Program Files\WildApp.inf IRC/OverPro.A@adw

I also successfully ran Trend and Bitdefender on MSIE.

Here's the latest HJT:


Logfile of HijackThis v1.99.1
Scan saved at 11:45:22 PM, on 05/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: NameServer = 10.10.61.91,10.9.167.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
  • 0

#12
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

Almost done.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find System Startup Service.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Rescan with HJT, Check the following:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)

Ensure no windows open except HJT and click fix checked.

Rescan with HJT and post log back.
  • 0

#13
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
You mean there's actually a light at the end of the tunnel?!?!?

- I went into services.msc as instructed. It was already 'stopped'. I did disable it and then applied.

- I ran HJT but did not see the 023 entry you listed to check / fix. Did I do something wrong?

Here's the rescan of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:32:44 AM, on 05/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\PROGRA~1\Marimba\CASTAN~1\lib\jre\bin\java.exe
C:\Documents and Settings\amartino\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
  • 0

#14
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

The light at the end of the tunnel is getting bright, get ready for your sunglasses.

Set PC to show hidden files

Reboot into SAFE MODE

Press ctrl/alt/delete, processes

If the following entry is running end task it

C:\PROGRA~1\Marimba\CASTAN~1\lib\jre\bin\java.exe

Then using windows explorer locate the file C:\PROGRA~1\Marimba\CASTAN~1\lib\jre\bin\java.exe and delete it.

Reboot normally rescan with HJT and post log back
  • 0

#15
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I have total confidence in your direction, but wanted to check with you on the latest instructions just to be sure. Per an earlier note, I do recognize Marimba Castanet Tuner as the software my company uses to transmit new software to my machine remotely (without me having to bring my physical PC to the office to have software loaded). Is this .exe that I'm about to delete for that software or is it some malicious virus that just looks legitamate?

Pls confirm. Thanks.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP