Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJAck Log [RESOLVED]


  • This topic is locked This topic is locked

#1
zorba0332

zorba0332

    New Member

  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:48:10 AM, on 6/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe
C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRAM FILES\WIBUKEY\SERVER\WkSvW32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\vzankl.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sam\Desktop\security\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fntsrv09:8002
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [scjzfelr] c:\winnt\system32\scjzfelr.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\vzankl.exe reg_run
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://intranet


O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?


O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://69.210.75.98/FeedCtrl.CAB
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url=https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB]


O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: RSBizWare PlantMetrics Server (PlantMetricsServer) - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\PlantMetricsServer.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell Software's Security Server - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\SECURI~1\System\RSSecSrv.exe
O23 - Service: RSBizWare Production Server - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\RSBizWare Production Server.exe
O23 - Service: RSBizWare Security Server - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\RSBizWareSecurityServer.exe
O23 - Service: RSBizWare Scheduler Server (RSBizWareSchedulerServer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSBizWare\RSISchedServer.exe
O23 - Service: RSBizWare Scheduler Capable To Promise Server (RSICTPServer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSBizWare\RSICTPServer.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSSql Configuration Server (rssql_cfg_server) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_cfg_server.exe
O23 - Service: RSSql Compression Server (rssql_comp_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_comp_storer.exe
O23 - Service: RSSql DDE Connector (rssql_ddecoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_ddecoll.exe
O23 - Service: RSSql RSLinx Connector (rssql_lnxcoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_lnxcoll.exe
O23 - Service: RSSql COM+ Connector (rssql_mts_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_mts_storer.exe
O23 - Service: RSSql OCI Enterprise Connector (rssql_oci_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_oci_storer.exe
O23 - Service: RSSql OLE-DB Enterprise Connector (rssql_oledb_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_oledb_storer.exe
O23 - Service: RSSql OPC Connector (rssql_opccoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_opccoll.exe
O23 - Service: RSSql PlantMetrics Enterprise Connector (rssql_pm_storer) - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\rssql_pm_storer.exe
O23 - Service: RSSql FactoryTalk Connector (rssql_rnacoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_rnacoll.exe
O23 - Service: RSSql RSView Connector (rssql_rsvcoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_rsvcoll.exe
O23 - Service: RSSql ODBC Enterprise Connector (rssql_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_storer.exe
O23 - Service: RSSql Transaction Manager (rssql_tb) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_trnmgr.exe
O23 - Service: RSSql Transaction and Control Manager (rssql_tmctrl) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_tmctrl.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WIBU-KEY Server (WKSVW32) - WIBU-SYSTEMS AG - C:\PROGRAM FILES\WIBUKEY\SERVER\WkSvW32.exe

Edited by zorba0332, 23 June 2005 - 06:35 PM.

  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
  • 0

#3
zorba0332

zorba0332

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thats so far... Man that tool Ewido really rocks!!!

*************************


Logfile of HijackThis v1.99.1
Scan saved at 7:46:12 AM, on 6/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRAM FILES\WIBUKEY\SERVER\WkSvW32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Documents and Settings\sam\Desktop\security\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fntsrv09:8002

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [scjzfelr] c:\winnt\system32\scjzfelr.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\vzankl.exe reg_run
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: nact.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet





O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: RSBizWare PlantMetrics Server (PlantMetricsServer) - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\PlantMetricsServer.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell Software's Security Server - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\SECURI~1\System\RSSecSrv.exe
O23 - Service: RSBizWare Production Server - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\RSBizWare Production Server.exe
O23 - Service: RSBizWare Security Server - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\RSBizWareSecurityServer.exe
O23 - Service: RSBizWare Scheduler Server (RSBizWareSchedulerServer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSBizWare\RSISchedServer.exe
O23 - Service: RSBizWare Scheduler Capable To Promise Server (RSICTPServer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSBizWare\RSICTPServer.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSSql Configuration Server (rssql_cfg_server) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_cfg_server.exe
O23 - Service: RSSql Compression Server (rssql_comp_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_comp_storer.exe
O23 - Service: RSSql DDE Connector (rssql_ddecoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_ddecoll.exe
O23 - Service: RSSql RSLinx Connector (rssql_lnxcoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_lnxcoll.exe
O23 - Service: RSSql COM+ Connector (rssql_mts_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_mts_storer.exe
O23 - Service: RSSql OCI Enterprise Connector (rssql_oci_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_oci_storer.exe
O23 - Service: RSSql OLE-DB Enterprise Connector (rssql_oledb_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_oledb_storer.exe
O23 - Service: RSSql OPC Connector (rssql_opccoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_opccoll.exe
O23 - Service: RSSql PlantMetrics Enterprise Connector (rssql_pm_storer) - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\rssql_pm_storer.exe
O23 - Service: RSSql FactoryTalk Connector (rssql_rnacoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_rnacoll.exe
O23 - Service: RSSql RSView Connector (rssql_rsvcoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_rsvcoll.exe
O23 - Service: RSSql ODBC Enterprise Connector (rssql_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_storer.exe
O23 - Service: RSSql Transaction Manager (rssql_tb) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_trnmgr.exe
O23 - Service: RSSql Transaction and Control Manager (rssql_tmctrl) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_tmctrl.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WIBU-KEY Server (WKSVW32) - WIBU-SYSTEMS AG - C:\PROGRAM FILES\WIBUKEY\SERVER\WkSvW32.exe

Edited by zorba0332, 23 June 2005 - 06:38 PM.

  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Download FindQoologic from http://forums.net-in...=post&id=134981
Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.
  • 0

#5
zorba0332

zorba0332

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Again, this place rocks. It is real kewl to have help like this. I am going to buy the Ewido program when I get back from this trip. It ill be interesting to see how well it runs with Norton Internet Security.

Thanks agian for the help that you continue to offer!

********************************************

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* ad-beh C:\WINNT\JNVKO.DLL
* KavSvc C:\WINNT\System32\ZXBGINP.DLL
* KavSvc C:\WINNT\System32\__DELE~1.DLL
* aspack C:\WINNT\System32\BAQONXC.EXE
* aspack C:\WINNT\System32\MRT.EXE
* UPX! C:\WINNT\System32\DXDBGRID.DLL
* UPX! C:\WINNT\System32\DXEDITRS.DLL
* UPX! C:\WINNT\System32\ZXBGINP.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
AutoCAD Startup Accelerator.lnk

User Startup:
C:\Documents and Settings\sam\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [scjzfelr] c:\winnt\system32\scjzfelr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\vzankl.exe reg_run

2. Delete the files. (if present)

C:\WINNT\JNVKO.DLL
C:\WINNT\System32\ZXBGINP.DLL
C:\WINNT\System32\__DELE~1.DLL
C:\WINNT\System32\BAQONXC.EXE
C:\WINNT\system32\vzankl.exe

3. Then post a new Hijackthis log here in a reply.
  • 0

#7
zorba0332

zorba0332

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:05:05 PM, on 6/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRAM FILES\WIBUKEY\SERVER\WkSvW32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Documents and Settings\sam\Desktop\security\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fntsrv09:8002
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: RSBizWare PlantMetrics Server (PlantMetricsServer) - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\PlantMetricsServer.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell Software's Security Server - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\SECURI~1\System\RSSecSrv.exe
O23 - Service: RSBizWare Production Server - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\RSBizWare Production Server.exe
O23 - Service: RSBizWare Security Server - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\RSBizWareSecurityServer.exe
O23 - Service: RSBizWare Scheduler Server (RSBizWareSchedulerServer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSBizWare\RSISchedServer.exe
O23 - Service: RSBizWare Scheduler Capable To Promise Server (RSICTPServer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSBizWare\RSICTPServer.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSSql Configuration Server (rssql_cfg_server) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_cfg_server.exe
O23 - Service: RSSql Compression Server (rssql_comp_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_comp_storer.exe
O23 - Service: RSSql DDE Connector (rssql_ddecoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_ddecoll.exe
O23 - Service: RSSql RSLinx Connector (rssql_lnxcoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_lnxcoll.exe
O23 - Service: RSSql COM+ Connector (rssql_mts_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_mts_storer.exe
O23 - Service: RSSql OCI Enterprise Connector (rssql_oci_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_oci_storer.exe
O23 - Service: RSSql OLE-DB Enterprise Connector (rssql_oledb_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_oledb_storer.exe
O23 - Service: RSSql OPC Connector (rssql_opccoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_opccoll.exe
O23 - Service: RSSql PlantMetrics Enterprise Connector (rssql_pm_storer) - Rockwell Software - C:\Program Files\Rockwell Software\RSBizWare\rssql_pm_storer.exe
O23 - Service: RSSql FactoryTalk Connector (rssql_rnacoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_rnacoll.exe
O23 - Service: RSSql RSView Connector (rssql_rsvcoll) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_rsvcoll.exe
O23 - Service: RSSql ODBC Enterprise Connector (rssql_storer) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_storer.exe
O23 - Service: RSSql Transaction Manager (rssql_tb) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_trnmgr.exe
O23 - Service: RSSql Transaction and Control Manager (rssql_tmctrl) - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSSql\rssql_tmctrl.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WIBU-KEY Server (WKSVW32) - WIBU-SYSTEMS AG - C:\PROGRAM FILES\WIBUKEY\SERVER\WkSvW32.exe

Edited by zorba0332, 23 June 2005 - 06:40 PM.

  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#9
zorba0332

zorba0332

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thanks for the help!! :tazz:
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP