[greyknight17]

Logfile of HijackThis v1.99.1
Scan saved at 12:14:13 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\FactorySuite\Common\NTServApp.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINNT\System32\Sim9Sync.exe
C:\Program Files\FactorySuite\Common\slssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\FactorySuite\Common\wwlogsvc.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\WINNT\system32\ALMXPMGR.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mshta.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\mdm.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINNT\system32\sistray.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\DfrgFat.exe
C:\D drive\Highjack This 1_99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com
...nder.cc/search/ (obfuscated)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,ALMXPMGR.EXE
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [xvwiz32] C:\WINNT\system32\xvwizard32.hta
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINNT\System\MSMSGSVC.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: Fix - Unknown owner - C:\DYNAMICS\fixsrv.exe
O23 - Service: FS Service Control - Wonderware Corporation - C:\Program Files\FactorySuite\Common\NTServApp.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: Intellution MBE Driver Helper - Intellution, Inc. - C:\DYNAMICS\MBEHelperService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Network Security Service (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINNT\system32\iefo32.exe (file missing)
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Alarm Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell HMI Framework - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINNT\System32\Sim9Sync.exe
O23 - Service: Wonderware SuiteLink (slssvc) - Wonderware Corporation - C:\Program Files\FactorySuite\Common\slssvc.exe
O23 - Service: Wonderware Logger (WWLOGSVC) - Wonderware Corporation - C:\Program Files\FactorySuite\Common\wwlogsvc.exe
O23 - Service: Wonderware NetDDE Helper (WWNetDDE) - Wonderware Corporation - C:\Program Files\FactorySuite\Common\wwnetdde.exe
O23 - Service: WwRpcSvr - Wonderware Corporation - C:\WINNT\System32\wwinstsvc.exe

[Advertisements]

OK, this should fix that 16 bit problem that you mentioned in the PM. Copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder.

Go to this site and upload this file (C:\WINNT\system32\ALMXPMGR.EXE) there (just click browse and go to the folder it's located in). Hit Submit and wait for the analysis report. What does it say?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work.
Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (O?’ŽrtñåȲ$Ó) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Windows ControlAd

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com
...nder.cc/search/ (obfuscated)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O4 - HKLM\..\Run: [xvwiz32] C:\WINNT\system32\xvwizard32.hta
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINNT\System\MSMSGSVC.exe
O23 - Service: Network Security Service (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINNT\system32\iefo32.exe (file missing)

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Windows ControlAd\
C:\WINNT\systb.dll
C:\WINNT\system32\xvwizard32.hta
C:\WINNT\System\MSMSGSVC.exe
C:\WINNT\system32\iefo32.exe

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

OK, this should fix that 16 bit problem that you mentioned in the PM. Copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder.

Go to this site and upload this file (C:\WINNT\system32\ALMXPMGR.EXE) there (just click browse and go to the folder it's located in). Hit Submit and wait for the analysis report. What does it say?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work.
Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (O?’ŽrtñåȲ$Ó) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Windows ControlAd

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com
...nder.cc/search/ (obfuscated)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O4 - HKLM\..\Run: [xvwiz32] C:\WINNT\system32\xvwizard32.hta
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINNT\System\MSMSGSVC.exe
O23 - Service: Network Security Service (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINNT\system32\iefo32.exe (file missing)

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Windows ControlAd\
C:\WINNT\systb.dll
C:\WINNT\system32\xvwizard32.hta
C:\WINNT\System\MSMSGSVC.exe
C:\WINNT\system32\iefo32.exe

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.