Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

unkown agent at work [CLOSED]

Started by Slace , Jun 04 2005 01:10 PM

  • This topic is locked This topic is locked

#1
Slace
Posted 04 June 2005 - 01:10 PM

Slace

    Member

  • Member
  • PipPip
  • 13 posts
hello and thank you for taking the time to help. Ive followed the steps outlined by your site and have been successfull to a point. For a couple of days now i have been getting a gray messenger service box that tells me to go to various sites, Winregfix.com is among one of them. Ive noticed others with the same problem and have tried following the advice given, but was unsucessful. I would appreciate whatever help you can provide.

Here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 11:15:02 AM, on 6/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Slace\My Documents\hikackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F3 - REG:win.ini: load=C:\\oer3sh.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Wizard] msnsgn.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [Services] C:\cache.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [yjobqnwb] C:\WINDOWS\yjobqnwb.exe
O4 - HKLM\..\Run: [Registry Value Name] sms.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [Registry Value Name] sms.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Sygate32 Firewall] Sygate32.exe
O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [Windows32 Net Database] msnd32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Windows Messenger Messenger] winmsg.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\RunServices: [Windows32 Net Database] msnd32.exe
O4 - HKCU\..\RunServices: [Windows Messenger Messenger] winmsg.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
  • 0

Advertisements

#2
Guest_thatman_*
Posted 07 June 2005 - 07:21 PM

Guest_thatman_*
  • Guest
Hi Slace

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Use windows add remove program file's uninstall the following:
c:\program files\180solutions\sais.exe

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F3 - REG:win.ini: load=C:\\oer3sh.exe
O4 - HKLM\..\Run: [Windows Wizard] msnsgn.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [Services] C:\cache.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [yjobqnwb] C:\WINDOWS\yjobqnwb.exe
O4 - HKLM\..\Run: [Registry Value Name] sms.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [Registry Value Name] sms.exe
O4 - HKCU\..\Run: [Sygate32 Firewall] Sygate32.exe
O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [Windows32 Net Database] msnd32.exe
O4 - HKCU\..\Run: [Windows Messenger Messenger] winmsg.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\RunServices: [Windows32 Net Database] msnd32.exe
O4 - HKCU\..\RunServices: [Windows Messenger Messenger] winmsg.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Using Windows Explorer, locate the following files/folders, and delete them:
C:\\oer3sh.exe<--Delete the whole folder
msnsgn.exe<--Delete this file
C:\cache.exe<--Delete the whole folder
c:\program files\180solutions\<--Delete the whole folder
C:\WINDOWS\yjobqnwb.exe<--Delete this file
sms.exe<--Delete this file
Sygate32.exe<--Delete this file
winmsg.exe<--Delete this file
interserv.exe<--Delete this file
C:\WINDOWS\taskbarmngr.exe<--Delete this file
Exit Explorer.

Reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
Slace
Posted 07 June 2005 - 09:41 PM

Slace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi and thank you for helping me out with my problems. I followed your steps as best i could, but i did find some bumps. Mainly with deleting files and such.

First, when i ran my hijackthis i was unable to find these files:
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [Sygate32 Firewall] Sygate32.exe
O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe


also, i was unable to find these files through my explorer:
C:\\oer3sh.exe<--Delete the whole folder
msnsgn.exe<--Delete this file
C:\cache.exe<--Delete the whole folder
c:\program files\180solutions\<--Delete the whole folder
C:\WINDOWS\yjobqnwb.exe<--Delete this file
sms.exe<--Delete this file
Sygate32.exe<--Delete this file
winmsg.exe<--Delete this file
interserv.exe<--Delete this file
C:\WINDOWS\taskbarmngr.exe<--Delete this file

these were the only problems i ran into while following your steps. I have done everything else you asked.

Here is my fresh hijackthis log and my ewido and panda logs.


Logfile of HijackThis v1.99.1
Scan saved at 8:40:25 PM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Slace\Desktop\Security programs\hikackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:26:38 PM, 6/7/2005
+ Report-Checksum: 31C35A09

+ Date of database: 6/7/2005
+ Version of scan engine: v3.0

+ Duration: 47 min
+ Scanned Files: 122966
+ Speed: 42.96 Files/Second
+ Infected files: 13
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Slace\Cookies\slace@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@list[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@spylog[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\H@tKeysH@@k.DLL -> Not-A-Virus.Tool.Game.HotHook -> Cleaned with backup


::Report End


Panda report

Incident Status Location

Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games\Betting.lnk
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/ILookup No disinfected C:\WINDOWS\ILookup
Spyware:Spyware/YourSiteBar No disinfected C:\Program Files\YourSiteBar
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Technology\Tech & gadgets.lnk
Possible Virus. No disinfected C:\Program Files\BullGuard Software\BullGuard 5.0\Quarantine\sms.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Virus:W32/Sdbot.DUG.worm Disinfected C:\WINDOWS\system32\TFTP1308

thank you again for your help
  • 0

#4
Guest_thatman_*
Posted 08 June 2005 - 02:12 AM

Guest_thatman_*
  • Guest
Hi Slace

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Windows Taskbar Manager (wtaskbarmngr)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donīt find this service listed go ahead with the next steps.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan save the log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\Documents and Settings\Slace\Favorites\Fun & Games\Betting.lnk
C:\Program Files\Ares
C:\WINDOWS\ILookup
C:\Program Files\YourSiteBar
C:\Documents and Settings\Slace\Favorites\Fun & Games\Betting.lnk
C:\Documents and Settings\Slace\Favorites\Fun & Games\Casino Palace.lnk
C:\Documents and Settings\Slace\Favorites\Fun & Games\Casino.lnk
C:\Documents and Settings\Slace\Favorites\Fun & Games\Games.lnk
C:\Documents and Settings\Slace\Favorites\Fun & Games\Horoscope.lnk
C:\Documents and Settings\Slace\Favorites\Going Places\Air Tickets.lnk
C:\Documents and Settings\Slace\Favorites\Going Places\Car Rentals.lnk
C:\Documents and Settings\Slace\Favorites\Going Places\Hotel Deals.lnk
C:\Documents and Settings\Slace\Favorites\Going Places\Luggage.lnk
C:\Documents and Settings\Slace\Favorites\Going Places\Travel.lnk
C:\Documents and Settings\Slace\Favorites\Living\Dating.lnk
C:\Documents and Settings\Slace\Favorites\Living\Find a Degree.lnk
C:\Documents and Settings\Slace\Favorites\Living\Find a job.lnk
C:\Documents and Settings\Slace\Favorites\Living\Home.lnk
C:\Documents and Settings\Slace\Favorites\Living\Insurance.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Auctions.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Books.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Computers.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Discount.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Flowers.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Golf.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Jewelry.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Movies.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Music.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Online Store.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Perfume.lnk
C:\Documents and Settings\Slace\Favorites\Shop\Sleepwear.lnk
C:\Documents and Settings\Slace\Favorites\Technology\Adware Remover.lnk
C:\Documents and Settings\Slace\Favorites\Technology\Anti-Virus.lnk
C:\Documents and Settings\Slace\Favorites\Technology\PC Cleaner.lnk
C:\Documents and Settings\Slace\Favorites\Technology\Tech & gadgets.lnk
C:\Program Files\BullGuard Software\BullGuard 5.0\Quarantine\sms.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\system32\TFTP1308
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
Slace
Posted 08 June 2005 - 01:42 PM

Slace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
woot!

id just like to let you know that my system is running much smoother now and that my initial problem is no longer here. the gray messenger box stoped showing up when i turned from IE and started using opera. also i installed a new router yesterday as well. However i do have controll of my windows Task manager again (before today i was unable to acess it) and i no longer get the annoying pop ups, so whoever is to thank for that i thank you.

now onto business.

i ran services.msc and found windows taskbar manager, however it was already turned off. Not sure if that means anything but ohh well. I did disable the start up type though.

i followed all of your other instructions and believe they ran smoothly. im assuming killbox deleted the files i told it too however i did not recieve any kind of confirmation. If this is a natural thing lemme know.

also, i was unable to find O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
and fix this through hijack this.


here is a fresh copy of my logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:37 PM, on 6/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Slace\Desktop\Security programs\hikackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:12:05 PM, 6/8/2005
+ Report-Checksum: 71C0C9FD

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 45 min
+ Scanned Files: 123942
+ Speed: 45.51 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End


thanks!
  • 0

#6
Guest_thatman_*
Posted 08 June 2005 - 02:19 PM

Guest_thatman_*
  • Guest
Hi Slace

Congratulations! Your system is CLEAN ;)

MicrosoftŪ Windows AntiSpyware (Beta) 2000 and XP ONLY.
SpyBot Search & Destroy v1.3
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Have a nice Day.

Kc :tazz:
  • 0

#7
Slace
Posted 08 June 2005 - 03:07 PM

Slace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
woot woot!

thanks so much for your help!

now to work on my newest problem, the router's firewall, i dont suppose you know anything about port forwarding and such, im trying to get my games and such to run properly again.
  • 0

#8
Guest_thatman_*
Posted 08 June 2005 - 03:49 PM

Guest_thatman_*
  • Guest
Hi Slace

We have a hardware forum you will get all the help you need.

Just post there and ask your questoin

Kc :tazz:
  • 0

#9
Guest_thatman_*
Posted 08 June 2005 - 03:49 PM

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#10
Guest_thatman_*
Posted 15 June 2005 - 03:46 PM

Guest_thatman_*
  • Guest
Topic reopened.

Kc :tazz:
  • 0

Advertisements

#11
Slace
Posted 15 June 2005 - 03:56 PM

Slace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
hey thanks for reopening this.

Seems the bug is back, or it never left. The gray messenger box that i was recieving way back when left when i installed my new router. However my roomate being a [bleep] made me uninstall it and go back to usb cable, which brought the gray messenger box problem back. And now periodically i get a message telling me that windows is restarting because the RCP (or something along those lines, not completely sure if thats the exact acronym.) was deactivated.

here is a fresh copy of hijack this and ewido scans


Logfile of HijackThis v1.99.1
Scan saved at 2:54:49 PM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Slace\Desktop\Security programs\hikackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe (file missing)


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:02:28 PM, 6/15/2005
+ Report-Checksum: 68E43F77

+ Date of database: 6/15/2005
+ Version of scan engine: v3.0

+ Duration: 58 min
+ Scanned Files: 97542
+ Speed: 27.58 Files/Second
+ Infected files: 8
+ Removed files: 8
+ Files put in quarantine: 8
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Slace\Cookies\slace@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

thanks
  • 0

#12
Slace
Posted 15 June 2005 - 10:18 PM

Slace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
just an update to let you guys know. I think i have something very serious going on here, i cant use any program because they lock up, i can hardly have my computer running for very long before it crashes. I get a pop up from Ewido every few minutes telling me its cleaned another file, yet sometimes its the same file it says its cleaned. Please any kind of help you can offer would be greately appreciated, and the faster the better, i dont want to lose anything on my hard drive.
  • 0

#13
Guest_thatman_*
Posted 16 June 2005 - 02:11 AM

Guest_thatman_*
  • Guest
Hi Slace

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Remote Procedure Call (RPC) Client (RpcClient)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donīt find this service listed go ahead with the next steps.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#14
Slace
Posted 16 June 2005 - 09:02 AM

Slace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
kk did that


Logfile of HijackThis v1.99.1
Scan saved at 7:59:49 AM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Slace\Desktop\Security programs\hikackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



panda active scan log

Incident Status Location

Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Slace\Favorites\Fun & Games
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Virus:Bck/Sdbot.DXK Disinfected C:\WINDOWS\system32\eraseme_30032.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Virus:W32/Sdbot.DYO.worm Disinfected C:\WINDOWS\system32\mmm.exe
Virus:W32/Sdbot.DYO.worm Disinfected C:\WINDOWS\system32\TFTP2332
Virus:W32/Sdbot.DYO.worm Disinfected C:\WINDOWS\system32\TFTP3836
Virus:W32/Sdbot.DYO.worm Disinfected C:\WINDOWS\system32\winupdater.exe
thanks for the help
  • 0

#15
Guest_thatman_*
Posted 16 June 2005 - 09:52 AM

Guest_thatman_*
  • Guest
Hi Slace

Please read through the instructions before you start (you may want to print this out).

To remove C:\Program Files\ISTsvc\ISTSVC.EXE use the link below:
http://securityrespo...er/FxIstbar.exe

The following Programs do not need to start when windows boots up all can be run manualy
C:\Program Files\QuickTime\qttask.exe" -atboottime
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

Use windows explorer to find the following:
C:\Documents and Settings\Slace\Favorites\Fun & Games[/b[<--Delete this folder from your Favorites
C:\Program Files\Ares<--Delete the whole folder

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[b]Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP