Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't remove CoolWWWSearch[RESOLVED]

Started by worktrader , May 09 2005 09:34 PM

  • This topic is locked This topic is locked

#1
worktrader
Posted 09 May 2005 - 09:34 PM

worktrader

    Member

  • Member
  • PipPip
  • 19 posts
Hoping someone can help me. I have run through the "read through this section first". SpyBot S&D found a CoolWWWSearch and CoolWWWSearch.Bootconf that don't seem to want to go away. Sometimes it goes away for a few boots but resurrects itself later.

Not sure if it's related to this malware but my McAfee no longer loads so I removed it and can't reinstall successfully. I also lost my Yahoo! toolbar.

Last note - my PC has an alternate domain setup? I need to keep it unless it's goofing everything up. I do have administrator rights to my local machine.

Here is a copy of my current hijack log. I have run spybot and rebooted. Please help!

---------------
Logfile of HijackThis v1.99.1
Scan saved at 8:21:37 AM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\Cleanup\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [swdoctor] C:\Program Files\Spyware Doctor\swdoctor.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62B53F93-2E32-11D4-B0A1-004095451A77} (EagleSTAR Download Manager) - http://49.50.21.221:...loadmanager.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.investtech...tsweb/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inhouse.opers.org
O17 - HKLM\Software\..\Telephony: DomainName = inhouse.opers.org
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - c:\ibmtools\utils\Psasrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks in advance. :tazz:

Edited by worktrader, 10 May 2005 - 06:52 AM.

  • 0

Advertisements

#2
worktrader
Posted 10 May 2005 - 06:25 AM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
:tazz:

Edited by worktrader, 10 May 2005 - 06:53 AM.

  • 0

#3
ScHwErV
Posted 10 May 2005 - 07:06 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
WorkTrader

Hello and welcome to Geeks To Go.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

ScHwErV :tazz:
  • 0

#4
worktrader
Posted 10 May 2005 - 07:11 AM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here's what it said...



L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
"DllName"="QConGina.dll"
"Logoff"="QConGinaWLEventLogoff"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
@=""
"DllName"="tphklock.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
authz.dll Wed Mar 2 2005 2:20:04p A.... 53,760 52.50 K
browseui.dll Fri Feb 18 2005 3:09:14p A.... 1,017,856 994.00 K
gccoll~1.dll Thu Feb 10 2005 10:32:20p A.... 119,520 116.72 K
gcmd5q~1.dll Mon May 9 2005 1:56:10p A.... 10,752 10.50 K
gcunco~1.dll Thu Feb 10 2005 10:32:20p A.... 130,272 127.22 K
hashlib.dll Thu Feb 10 2005 10:32:18p A.... 81,120 79.22 K
iepeers.dll Fri Feb 18 2005 12:43:20p A.... 236,032 230.50 K
mqad.dll Wed Mar 23 2005 2:12:48p ..... 130,048 127.00 K
mqdscli.dll Wed Mar 23 2005 2:12:48p ..... 44,032 43.00 K
mqise.dll Wed Mar 23 2005 2:12:48p ..... 14,848 14.50 K
mqqm.dll Wed Mar 23 2005 2:12:48p ..... 608,768 594.50 K
mqrt.dll Wed Mar 23 2005 2:12:48p ..... 165,888 162.00 K
mqsec.dll Wed Mar 23 2005 2:12:48p ..... 88,576 86.50 K
mqupgrd.dll Wed Mar 23 2005 2:12:48p ..... 44,544 43.50 K
mqutil.dll Wed Mar 23 2005 2:12:48p ..... 467,456 456.50 K
mshtml.dll Thu Feb 24 2005 1:23:26p A.... 2,811,904 2.68 M
msrating.dll Thu Feb 24 2005 11:54:42a ..... 132,096 129.00 K
qcongina.dll Fri Mar 18 2005 3:07:00a ..... 262,144 256.00 K
shdocvw.dll Fri Feb 18 2005 3:09:00p A.... 1,337,344 1.27 M
shell32.dll Fri Mar 11 2005 9:51:16p A.... 8,348,672 7.96 M
spmsg.dll Thu Feb 24 2005 7:35:06p ..... 14,048 13.72 K
tvt_gina.dll Fri Mar 18 2005 3:07:00a ..... 577,536 564.00 K
tvt_gi~1.dll Fri Mar 18 2005 3:07:00a ..... 282,624 276.00 K
user32.dll Wed Mar 2 2005 2:20:04p ..... 561,152 548.00 K
vsdata.dll Tue Apr 19 2005 6:05:10p A.... 75,528 73.76 K
vsinit.dll Tue Apr 19 2005 6:05:22p A.... 124,680 121.76 K
vsmonapi.dll Tue Apr 19 2005 6:05:30p A.... 108,296 105.76 K
vspubapi.dll Tue Apr 19 2005 6:05:34p A.... 198,408 193.76 K
vsregexp.dll Tue Apr 19 2005 6:05:38p A.... 71,432 69.76 K
vsutil.dll Tue Apr 19 2005 6:05:50p A.... 354,056 345.76 K
vsxml.dll Tue Apr 19 2005 6:06:00p A.... 100,096 97.75 K
w29mlres.dll Mon Feb 14 2005 6:48:12a A.... 1,671,168 1.59 M
w29ncpa.dll Mon Feb 14 2005 6:47:58a A.... 458,752 448.00 K
wininet.dll Fri Feb 18 2005 4:19:18p A.... 592,384 578.50 K
winsrv.dll Wed Mar 2 2005 2:20:04p ..... 277,504 271.00 K
xpsp2res.dll Fri Mar 11 2005 6:07:14p A.... 594,432 580.50 K
zlcomm.dll Tue Apr 19 2005 6:06:20p A.... 75,528 73.76 K
zlcommdb.dll Tue Apr 19 2005 6:06:24p A.... 67,336 65.76 K

38 items found: 38 files, 0 directories.
Total of file sizes: 22,310,592 bytes 21.27 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Tom IBM
Volume Serial Number is D41D-BCC9

Directory of C:\WINDOWS\System32

05/09/2005 03:10 PM <DIR> dllcache
05/03/2005 11:27 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 47,947,829,248 bytes free
  • 0

#5
ScHwErV
Posted 10 May 2005 - 09:38 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

ScHwErV :tazz:
  • 0

#6
worktrader
Posted 10 May 2005 - 10:51 AM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Sorry for the delay... Here it is. The hijack log is also attached below. Thanks!

----------------------------------------

L2Mfix 1.03

Running From:
C:\Documents and Settings\Tom\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Tom\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Tom\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2792 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 3172 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed


Zipping up files for submission:
adding: clear.reg (140 bytes security) (deflated 2%)
adding: echo.reg (140 bytes security) (deflated 8%)
adding: desktop.ini (140 bytes security) (stored 0%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 72%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 74%)
adding: test.txt (140 bytes security) (stored 0%)
adding: test2.txt (140 bytes security) (stored 0%)
adding: test3.txt (140 bytes security) (stored 0%)
adding: test5.txt (140 bytes security) (stored 0%)
adding: backregs/shell.reg (140 bytes security) (deflated 62%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
"DllName"="QConGina.dll"
"Logoff"="QConGinaWLEventLogoff"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
@=""
"DllName"="tphklock.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 12:49:56 PM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\Cleanup\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [swdoctor] C:\Program Files\Spyware Doctor\swdoctor.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62B53F93-2E32-11D4-B0A1-004095451A77} (EagleSTAR Download Manager) - http://49.50.21.221:...loadmanager.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.investtech...tsweb/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inhouse.opers.org
O17 - HKLM\Software\..\Telephony: DomainName = inhouse.opers.org
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - c:\ibmtools\utils\Psasrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



  • 0

#7
ScHwErV
Posted 11 May 2005 - 07:32 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
We still have some work to do.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Reboot your computer into normal windows.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O19 - User stylesheet: (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. [/b]After that, Reboot.

After all that, please post a fresh HiJackThis log.

ScHwErV :tazz:
  • 0

#8
worktrader
Posted 11 May 2005 - 12:32 PM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I walked through your procedures - here are the log files that you asked for.

Logfile of HijackThis v1.99.1
Scan saved at 2:27:03 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Tom\Desktop\Cleanup\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [swdoctor] C:\Program Files\Spyware Doctor\swdoctor.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62B53F93-2E32-11D4-B0A1-004095451A77} (EagleSTAR Download Manager) - http://49.50.21.221:...loadmanager.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.investtech...tsweb/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inhouse.opers.org
O17 - HKLM\Software\..\Telephony: DomainName = inhouse.opers.org
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - c:\ibmtools\utils\Psasrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[From the Kaspersky Online Scan]
C:\Documents and Settings\All Use... Edition\7.5\Quarantine\04BC0000.VBN Trojan-....Small.amb send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\04BC0001.VBN Trojan....artPage.ix send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\08880000.VBN Exploit.HTML.Mht send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680000.VBN Exploit.HTML.Mht send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680001.VBN Trojan-....JS.Weis.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680002.VBN Virus.Win32.Bube.k send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680003.VBN Trojan....ssLoader.c send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680004.VBN Virus.Win32.Bube.k send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680005.VBN Trojan.Java.Femad send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0C680006.VBN Trojan.Java.Femad send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0D880000.VBN Trojan-....Small.amb send delete

C:\WINDOWS\system32\ActiveScan\imscan.dll Virus.D...ronia.2538

Please note: I did not ask the scan to clean these files. Your instructions didn't say to do that. Hope that was ok.

Thanks!!! Tom
  • 0

#9
ScHwErV
Posted 11 May 2005 - 12:46 PM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
You have a variant of CWS that uses a hidden file to re-infect. Lets find that file.

Download: StartDreck from: http://www.niksoft.a.../startdreck.htm
  • Extract the file into c:\startdreck.
  • Navigate to c:\startdreck and double-click on Startdreck.exe
  • When the program opens click on the Config button.
  • Then click on the unmark all button.
  • Put checkmarks in the following checkboxes:
  • Under Registry put a checkmark in the Run Keys checkbox.
  • Under System/Drivers put a check in the Running Proccess checkbox.
  • Press the OK button.
  • Press the Save button.
Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Open the StartDrek.log, copy and paste the results of that log here.

ScHwErV :tazz:
  • 0

#10
worktrader
Posted 11 May 2005 - 02:40 PM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ok. Here it is...

StartDreck (build 2.1.7 public stable) - 2005-05-11 @ 16:38:49 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Tom at THONG-CONSULTAN

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*Zone Labs Client="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
*QCWLIcon=C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
*QCTray=C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
*TPHOTKEY=C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
*PRONoMgrWired=C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*swdoctor=C:\Program Files\Spyware Doctor\swdoctor.exe
*BMMGAG=RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+504=\SystemRoot\System32\smss.exe
+552=\??\C:\WINDOWS\system32\csrss.exe
+576=\??\C:\WINDOWS\system32\winlogon.exe
+620=C:\WINDOWS\system32\services.exe
+632=C:\WINDOWS\system32\lsass.exe
+800=C:\WINDOWS\System32\ibmpmsvc.exe
+840=C:\WINDOWS\System32\Ati2evxx.exe
+868=C:\WINDOWS\system32\svchost.exe
+972=C:\WINDOWS\System32\svchost.exe
+1084=C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
+1140=C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
+1276=C:\WINDOWS\System32\svchost.exe
+1304=C:\WINDOWS\System32\svchost.exe
+1424=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1468=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1588=C:\WINDOWS\system32\spoolsv.exe
+316=C:\WINDOWS\System32\alg.exe
+340=C:\Program Files\Symantec AntiVirus\DefWatch.exe
+380=C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
+476=C:\WINDOWS\System32\QCONSVC.EXE
+944=C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
+964=C:\Program Files\Symantec AntiVirus\SavRoam.exe
+1104=C:\WINDOWS\System32\tcpsvcs.exe
+1812=C:\Program Files\Symantec AntiVirus\Rtvscan.exe
+1904=C:\WINDOWS\System32\wdfmgr.exe
+1940=C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+144=C:\WINDOWS\system32\svchost.exe
+3312=C:\WINDOWS\system32\Ati2evxx.exe
+3376=C:\WINDOWS\Explorer.EXE
+3476=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+3484=C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
+3504=C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
+3528=C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
+3548=C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
+3556=C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
+3608=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
+3664=C:\Program Files\Spyware Doctor\swdoctor.exe
+3712=C:\WINDOWS\System32\RunDll32.exe
+2264=C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
+3924=C:\Program Files\Internet Explorer\iexplore.exe
+2204=C:\WINDOWS\system32\ntvdm.exe
+3984=C:\startdreck\StartDreck.exe
»Application specific
  • 0

Advertisements

#11
ScHwErV
Posted 12 May 2005 - 07:29 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
That log is clean. I believe SpywareDoctor is causing us some grief by protecting those bad BHOs.

SpywareDoctor is not considered a Rogue antispyware program, but it is also not on the list of trusted antispyware programs. I suggest its removal. If you do not want to remove it, we will need to disable it before it will allow us to fix the problems.

After you either remove or disable SpywareDoctor, run HiJackThis again and place a check next to the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)

Then close all open windows and click Fix Checked.

Then reboot and post a fresh HiJackThis log. After we have you all cleaned up you can either re-enable SpywareDoctor or I can suggest some great free tools to take its place.

ScHwErV :tazz:
  • 0

#12
worktrader
Posted 12 May 2005 - 10:00 AM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here's the new log. It's still lingering isn't it? :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 11:57:44 AM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Tom\Desktop\Cleanup\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62B53F93-2E32-11D4-B0A1-004095451A77} (EagleSTAR Download Manager) - http://49.50.21.221:...loadmanager.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.investtech...tsweb/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inhouse.opers.org
O17 - HKLM\Software\..\Telephony: DomainName = inhouse.opers.org
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - c:\ibmtools\utils\Psasrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#13
ScHwErV
Posted 12 May 2005 - 01:23 PM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Were gonna need some different settings for StartDrek.


Download and Run startdreck

Click on config
Then unmark all
Then check NT Kernal and FS-drivers
Click OK
Then click save
Post the log

ScHwErV :tazz:
  • 0

#14
worktrader
Posted 13 May 2005 - 07:24 AM

worktrader

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here's the log. By the way - in case it's not clear, I appreciate your efforts here!!
*********************

StartDreck (build 2.1.7 public stable) - 2005-05-13 @ 09:21:43 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Tom at THONG-CONSULTAN

»Registry
»Files
»System/Drivers
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
*abp480n5 abp480n5 - disabled
*Intel® 82801 Audio Driver Install Service (WD ac97intc - on demand
`M)
*Microsoft ACPI Driver ACPI running boot
*Microsoft Embedded Controller Driver ACPIEC running boot
*adpu160m adpu160m - disabled
*aeaudio aeaudio running on demand
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
*AEGIS Protocol (IEEE 802.1x) v3.1.6.0 AegisP running auto
*AFD Networking Support Environment AFD running auto
*Intel AGP Bus Filter agp440 running boot
*Compaq AGP Bus Filter agpCPQ - disabled
*Aha154x Aha154x - disabled
*aic78u2 aic78u2 - disabled
*aic78xx aic78xx - disabled
*AliIde AliIde - disabled
*ALI AGP Bus Filter alim1541 - disabled
*AMD AGP Bus Filter Driver amdagp - disabled
*amsint amsint - disabled
*ANC ANC running system
*asc asc - disabled
*asc3350p asc3350p - disabled
*asc3550 asc3550 - disabled
*Ascrypto Ascrypto - on demand
*Askernel Askernel running system
*ASPI32 ASPI32 - system
*Astdi Astdi running on demand
*RAS Asynchronous Media Driver AsyncMac - on demand
*Standard IDE/ESDI Hard Disk Controller atapi running boot
*Atdisk Atdisk - disabled
*ati2mtag ati2mtag running on demand
*ATM ARP Client Protocol Atmarpc - on demand
*Audio Stub Driver audstub running on demand
*Beep Beep running system
*MAC Bridge BRIDGE - on demand
*MAC Bridge Miniport BridgeMP - on demand
*Bluetooth Request Block Driver BthEnum - on demand
*Bluetooth Port Driver BTHPORT - on demand
*Bluetooth Radio USB Driver BTHUSB - on demand
*cbidf cbidf - disabled
*cbidf2k cbidf2k - disabled
*cd20xrnt cd20xrnt - disabled
*Cdaudio Cdaudio - system
*Cdfs Cdfs running disabled
*CD-ROM Driver Cdrom running system
*Changer Changer - system
*Microsoft ACPI Control Method Battery Driver CmBatt running on demand
*CmdIde CmdIde - on demand
*Microsoft Composite Battery Driver Compbatt running boot
*Cpqarray Cpqarray - disabled
*dac2w2k dac2w2k - disabled
*dac960nt dac960nt - disabled
*Disk Driver Disk running boot
*dmboot dmboot - disabled
*dmio dmio - disabled
*dmload dmload - disabled
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
*dpti2o dpti2o - disabled
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
*drvmcdb drvmcdb running boot
*drvnddm drvnddm running auto
*Intel® PRO/1000 Adapter Driver E1000 running on demand
*Intel® PRO Adapter Driver E100B - on demand
*IBM Access Support EGATHDRV running auto
*Fastfat Fastfat - disabled
*Floppy Disk Controller Driver Fdc running on demand
*Fips Fips running system
*Flpydisk Flpydisk - system
*Volume Manager Driver Ftdisk running boot
*GEAR CDRom Filter GEARAspiWDM running on demand
*Generic Packet Classifier Gpc running on demand
*Intel GV3 Processor Driver gv3 running on demand
*Microsoft HID Class Driver HidUsb - on demand
*hpn hpn - disabled
*HSFHWICH HSFHWICH running on demand
*HSF_DP HSF_DP running on demand
*i2omgmt i2omgmt running system
*i2omp i2omp - disabled
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
*ibmfilter ibmfilter running auto
*IBMPMDRV IBMPMDRV running on demand
*IBMTPCHK IBMTPCHK running system
*ids00026 ids00026 - on demand
*CD-Burning Filter Driver Imapi running system
*ini910u ini910u - disabled
*IntelIde IntelIde - disabled
*IP in IP Tunnel Driver IpInIp - on demand
*IP Network Address Translator IpNat - on demand
*IPSEC driver IPSec running system
*IrDA Protocol irda running auto
*IR Enumerator Service IRENUM running on demand
*PnP ISA/EISA Bus Driver isapnp running boot
*Keyboard Class Driver Kbdclass running system
*klstm klstm - on demand
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
*KSecDD KSecDD running boot
*lbrtfdc lbrtfdc - system
*LT Modem Driver ltmodem5 - on demand
*mdmxsdk mdmxsdk running auto
*mnmdd mnmdd running system
*Modem Modem running on demand
*Mouse Class Driver Mouclass running system
*Mouse HID Driver mouhid - on demand
*MountMgr MountMgr running boot
*mraid35x mraid35x - disabled
*WebDav Client Redirector MRxDAV running on demand
*MRxSmb MRxSmb running system
*Msfs Msfs running system
*Microsoft Streaming Service Proxy MSKSSRV - on demand
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
*Mup Mup running boot
*NAVENG NAVENG running on demand
*NAVEX15 NAVEX15 running on demand
*NDIS System Driver NDIS running boot
*Remote Access NDIS TAPI Driver NdisTapi running on demand
*NDIS Usermode I/O Protocol Ndisuio running on demand
*Remote Access NDIS WAN Driver NdisWan running on demand
*NDIS Proxy NDProxy running on demand
*NetBIOS Interface NetBIOS running system
*NetBT NetBT running system
*Npfs Npfs running system
*NSC Infrared Device Driver NSCIRDA running on demand
*Ntfs Ntfs running disabled
*Null Null running system
*IPX Traffic Filter Driver NwlnkFlt - on demand
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
*VPN-1 SecureClient Adapter OMVA - on demand
*Intel PentiumIII Processor Driver P3 - system
*Parallel port driver Parport running on demand
*PartMgr PartMgr running boot
*ParVdm ParVdm running auto
*PCI Bus Driver PCI running boot
*PCIDump PCIDump - system
*PCIIde PCIIde running boot
*Pcmcia Pcmcia running boot
*PCTINDIS5 NDIS Protocol Driver PCTINDIS5 - on demand
*PDCOMP PDCOMP - on demand
*PDFRAME PDFRAME - on demand
*PDRELI PDRELI - on demand
*PDRFRAME PDRFRAME - on demand
*perc2 perc2 - disabled
*perc2hib perc2hib - disabled
*PMEM PMEM running auto
*WAN Miniport (PPTP) PptpMiniport running on demand
*IBM PSA Access Driver psadd - on demand
*Direct Parallel Link Driver Ptilink running on demand
*PxHelp20 PxHelp20 running boot
*QCNDISIF QCNDISIF - on demand
*ql1080 ql1080 - disabled
*Ql10wnt Ql10wnt - disabled
*ql12160 ql12160 - disabled
*ql1240 ql1240 - disabled
*ql1280 ql1280 - disabled
*Remote Access Auto Connection Driver RasAcd running system
*rasacdo rasacdo running auto
*WAN Miniport (IrDA) Rasirda running on demand
*WAN Miniport (L2TP) Rasl2tp running on demand
*Remote Access PPPOE Driver RasPppoe running on demand
*Direct Parallel Raspti running on demand
*Rdbss Rdbss running system
*RDPCDD RDPCDD running system
*Terminal Server Device Redirector Driver rdpdr running on demand
*RDPWD RDPWD - on demand
*Digital CD Audio Playback Filter Driver redbook running system
*Bluetooth Device (RFCOMM Protocol TDI) RFCOMM - on demand
*SONICblue Rio generic driver XP+ RIOXDRV - on demand
*WLAN Transport s24trans running auto
*S3SSavage S3SSavage - on demand
*SAVRT SAVRT running system
*SAVRTPEL SAVRTPEL running auto
*Secdrv Secdrv - on demand
*Serenum Filter Driver serenum running on demand
*Serial port driver Serial running system
*Sfloppy Sfloppy - system
*ShockMgr ShockMgr running auto
*Shockprf Shockprf running boot
*Simbad Simbad - disabled
*SIS AGP Bus Filter sisagp - disabled
*Smapint Smapint running system
*smwdm smwdm running on demand
*Sparrow Sparrow - disabled
*Microsoft Kernel Audio Splitter splitter - on demand
*System Restore Filter Driver sr running boot
*Srv Srv running on demand
*sscdbhk5 sscdbhk5 running system
*ssrtln ssrtln running system
*Software Bus Driver swenum running on demand
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
*symc810 symc810 - disabled
*symc8xx symc8xx - disabled
*SymEvent SymEvent running on demand
*SYMREDRV SYMREDRV - on demand
*SYMTDI SYMTDI running system
*sym_hi sym_hi - disabled
*sym_u3 sym_u3 - disabled
*Synaptics TouchPad Driver SynTP running on demand
*Microsoft Kernel System Audio Device sysaudio running on demand
*TCP/IP Protocol Driver Tcpip running system
*TDPIPE TDPIPE - on demand
*TDSMAPI TDSMAPI running system
*TDTCP TDTCP - on demand
*Terminal Device Driver TermDD running system
*tfsnboio tfsnboio running auto
*tfsncofs tfsncofs running auto
*tfsndrct tfsndrct running auto
*tfsndres tfsndres running auto
*tfsnifs tfsnifs running auto
*tfsnopio tfsnopio running auto
*tfsnpool tfsnpool running auto
*tfsnudf tfsnudf running auto
*tfsnudfa tfsnudfa running auto
*TosIde TosIde - disabled
*TPHKDRV TPHKDRV running system
*TPPWR TPPWR running system
*TSMAPIP TSMAPIP running system
*TSP TSP - on demand
*IBM PS/2 TrackPoint Filter Driver TwoTrack - on demand
*Udfs Udfs - disabled
*ultra ultra - disabled
*Microcode Update Driver Update running on demand
*Microsoft USB 2.0 Enhanced Host Controller Mini usbehci running on demand
`port Driver
*Microsoft USB Standard Hub Driver usbhub running on demand
*Microsoft USB PRINTER Class usbprint - on demand
*USB Mass Storage Driver USBSTOR - on demand
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
*VgaSave VgaSave running system
*VIA AGP Bus Filter viaagp - disabled
*ViaIde ViaIde - disabled
*VolSnap VolSnap running boot
*vsdatant vsdatant running system
*Intel® PRO/Wireless 2200 Adapter Driver w22n51 - on demand
*Intel® PRO/Wireless 2200BG Network Connection w29n51 running on demand
` Driver for Windows XP
*Wicked Access by Mark WAM - on demand
*Remote Access IP ARP Driver Wanarp running on demand
*WDICA WDICA - on demand
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
*winachsf winachsf running on demand
»Application specific
  • 0

#15
ScHwErV
Posted 16 May 2005 - 06:46 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Ok, that log looks good. Lets run a virus scan and get a new HJT log.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

ScHwErV :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP