Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SpySherif Keeps loading on system startup [RESOLVED]

Started by LGovier , Jun 21 2005 01:48 AM

  • This topic is locked This topic is locked

#1
LGovier
Posted 21 June 2005 - 01:48 AM

LGovier

    New Member

  • Member
  • Pip
  • 6 posts
I have Windows XP with SP1 and have the Microsoft Antispyware and Spybot and Symantec AV installed but still managed to pick up an annoying startup program SpySherif that places a nasty background on my desktop. I can't see to find out how to remove it. I've read that sending the HiJack this log to this forum will help.
  • 0

Advertisements

#2
Guest_thatman_*
Posted 25 June 2005 - 10:38 AM

Guest_thatman_*
  • Guest
Hello

We are sorry for the delay in replying to your post, if your still need help please post a current HijackThis.log.

Thank you

Kc :tazz:
  • 0

#3
LGovier
Posted 27 June 2005 - 03:07 AM

LGovier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 08:36:11, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Jacobs VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ICO.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gibbnet/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.wins.lawco.com;10.*.*.*;170.130.*.*;*.jacobs.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Bginfo.exe
O4 - Global Startup: Jacobs VPN Client.lnk = C:\Program Files\Jacobs VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PowerBuilder DW Control & JDBC - http://10.163.4.42/apps/cab/jacobs.CAB
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://oakman04.jaco...ib/mcsimenu.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - http://oakman05/Alti...isNSConsole.cab
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://oakman04.jaco...lib/VSFlex8.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {D576AB8D-02C7-4588-98AC-5C2533A4481B} (AppWeaverControls.DTPicker) - http://oakman04.jaco...verControls.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbro...kes/FlashAX.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://winternals.w...ent/ieatgpc.cab
O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://oakman04.jaco...eXClipboard.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.jacobs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ppeclt - C:\WINDOWS\SYSTEM32\PPEClt.dll
O23 - Service: ADInsightSvc - Unknown owner - C:\WINDOWS\System32\ADInsightSvc.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Jacobs VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: NMap - Unknown owner - C:\Program Files\NMapWin\bin\nmapserv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SSMServer - Unknown owner - C:\Program Files\SSSI\STORServer\\SSMServer.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -log "*:EventLog:0" -log Connections:EventLog:100 -service (file missing)
  • 0

#4
Guest_thatman_*
Posted 27 June 2005 - 06:25 AM

Guest_thatman_*
  • Guest
Hi LGovier

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Please CLICK here and go to Save As (in Internet Explorer it's "Save Target As") in order to download Metallica’s reg file. Save it to your desktop.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Please set your system to show all files; please see here if you're unsure how to do this.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet,

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gibbnet/
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O16 - DPF: PowerBuilder DW Control & JDBC - http://10.163.4.42/apps/cab/jacobs.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://oakman04.jaco...ib/mcsimenu.CAB
O16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - http://oakman05/Alti...isNSConsole.cab
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://oakman04.jaco...lib/VSFlex8.CAB
O16 - DPF: {D576AB8D-02C7-4588-98AC-5C2533A4481B} (AppWeaverControls.DTPicker) - http://oakman04.jaco...verControls.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbro...kes/FlashAX.cab
O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://oakman04.jaco...eXClipboard.CAB
O20 - Winlogon Notify: ppeclt - C:\WINDOWS\SYSTEM32\PPEClt.dll
O23 - Service: ADInsightSvc - Unknown owner - C:\WINDOWS\System32\ADInsightSvc.exe
O23 - Service: SSMServer - Unknown owner - C:\Program Files\SSSI\STORServer\\SSMServer.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Now run Metallica’s reg file

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run AD-Aware se

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\Program Files\Parallel Tasking\ptask.exe
C:\winstall.exe
C:\WINDOWS\SYSTEM32\PPEClt.dll
C:\WINDOWS\System32\ADInsightSvc.exe.
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
LGovier
Posted 27 June 2005 - 08:04 AM

LGovier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I couldn't install the Panda scanner.

below is the Ewido log file

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:36:19, 27/06/2005
+ Report-Checksum: D31EA0B3

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 29 min
+ Scanned Files: 127308
+ Speed: 72.98 Files/Second
+ Infected files: 37
+ Removed files: 37
+ Files put in quarantine: 37
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator.IT40-05\Cookies\jacobs@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Cookies\jacobs@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\jacobs@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lgovier\Cookies\lgovier@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lgovier\Cookies\lgovier@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lgovier\Cookies\lgovier@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lgovier\Cookies\lgovier@itproportal[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lgovier\Cookies\lgovier@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\11397.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\11844.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\15740.exe -> TrojanDownloader.Small.alr -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\16189.exe -> TrojanDownloader.Small.alr -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\17483.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\18268.exe -> TrojanDownloader.Small.alr -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\20198.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\27515.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\27952.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\29022.exe -> Trojan.P2E.br -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\32637.exe -> Trojan.P2E.br -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\5268.exe -> TrojanDownloader.Small.alr -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\6103.exe -> TrojanDownloader.Small.alr -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\866.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lgovier\Local Settings\Temp\9493.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\lon-cla\Cookies\jacobs@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lon-cla\Cookies\lon-cla@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lon-cla\Cookies\lon-cla@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Access_Control\instant access.exe -> Trojan.P2E.br -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AFC70A41-174F-4BBC-AD95-0F5AA4\0A97840A-A675-4338-A0A1-59BA7F -> Spyware.NavExcel -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AFC70A41-174F-4BBC-AD95-0F5AA4\1A891D7D-774A-48F9-A3B2-E9C583 -> Spyware.NavExcel.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AFC70A41-174F-4BBC-AD95-0F5AA4\7B1F882E-4AB6-46C2-81DB-E4AE14 -> Spyware.Navexcel -> Cleaned with backup
C:\System Volume Information\_restore{A1FE6B59-41AB-49C6-A56C-59387AE0EB43}\RP292\A0045805.dll -> Spyware.WebEx -> Cleaned with backup
C:\System Volume Information\_restore{A1FE6B59-41AB-49C6-A56C-59387AE0EB43}\RP315\A0047349.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{A1FE6B59-41AB-49C6-A56C-59387AE0EB43}\RP321\A0048891.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{A1FE6B59-41AB-49C6-A56C-59387AE0EB43}\RP322\A0049031.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{A1FE6B59-41AB-49C6-A56C-59387AE0EB43}\RP323\A0049109.exe -> TrojanDownloader.Agent.fk -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\jacobs@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup


::Report End
  • 0

#6
Guest_thatman_*
Posted 27 June 2005 - 08:10 AM

Guest_thatman_*
  • Guest
Hi LGovier

I do need a new HJT.log

Thank you

Kc :tazz:
  • 0

#7
LGovier
Posted 27 June 2005 - 08:15 AM

LGovier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 15:15:10, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Jacobs VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.wins.lawco.com;10.*.*.*;170.130.*.*;*.jacobs.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Bginfo.exe
O4 - Global Startup: Jacobs VPN Client.lnk = C:\Program Files\Jacobs VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - http://oakman05/Alti...isNSConsole.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://winternals.w...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.jacobs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Jacobs VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: NMap - Unknown owner - C:\Program Files\NMapWin\bin\nmapserv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -log "*:EventLog:0" -log Connections:EventLog:100 -service (file missing)
  • 0

#8
Guest_thatman_*
Posted 27 June 2005 - 08:30 AM

Guest_thatman_*
  • Guest
Hi LGovier

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\SpySheriff<--Delete the whole folder
Exit Explorer.Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
LGovier
Posted 27 June 2005 - 09:18 AM

LGovier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Panda log is


Incident Status Location

Adware:Adware/SideSearch No disinfected C:\Documents and Settings\lgovier\Application Data\Lycos
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/Comet No disinfected C:\Program Files\Comet Systems
Virus:Exploit/CodeBase.S No disinfected C:\dieter1.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\dieter1.chm[htm2chm_explorer]
HJT log is

Logfile of HijackThis v1.99.1
Scan saved at 16:18:18, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Jacobs VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.wins.lawco.com;10.*.*.*;170.130.*.*;*.jacobs.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - Global Startup: Bginfo.exe
O4 - Global Startup: Jacobs VPN Client.lnk = C:\Program Files\Jacobs VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - http://oakman05/Alti...isNSConsole.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://winternals.w...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.jacobs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.jacobs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europe.jacobs.com,Jacobs.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Jacobs VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: NMap - Unknown owner - C:\Program Files\NMapWin\bin\nmapserv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -log "*:EventLog:0" -log Connections:EventLog:100 -service (file missing)

thanks
  • 0

#10
Guest_thatman_*
Posted 27 June 2005 - 09:28 AM

Guest_thatman_*
  • Guest
Hi LGovier

Use windows explorer delete the following folders
C:\Documents and Settings\lgovier\Application Data\Lycos<--Delete the whole folder
C:\Program Files\Comet Systems<--Delete the whole folder
C:\dieter1.chm[htm2chm_explorer<--Delete the whole folder

Congratulations! Your system is CLEAN ;)

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Have a nice Day.

Kc :tazz:
  • 0

#11
LGovier
Posted 27 June 2005 - 10:17 PM

LGovier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
thanks Very Much for all your help and assistance.
  • 0

#12
Guest_thatman_*
Posted 28 June 2005 - 04:16 AM

Guest_thatman_*
  • Guest
Hi LGovier

If you still use this program: C:\Program Files\RealVNC\VNC4\WinVNC4.exe you have a missing file.
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -log "*:EventLog:0" -log Connections:EventLog:100 -service (file missing)

If you would like to remove this item from the HJT.log

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
VNC Server Version 4 (WinVNC4) - Unknown owner
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

All the best

Kc :tazz:
  • 0

#13
Guest_thatman_*
Posted 29 June 2005 - 07:13 AM

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP