[Rankin]

logs..
looks good!

Logfile of HijackThis v1.99.1
Scan saved at 2:48:12 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Reflection\rnnfserv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Windows\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Windows\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Windows\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\PROGRA~1\IBM\CLIENT~1\cwblmsrv.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\George\NetHood\My Documents\JAMES\Virus Removal\Hijack This!\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\Windows\System32\Userinit.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Windows\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B3614D-5FBC-4847-BC9C-FED32BF8D714}: NameServer = 65.202.164.221,65.202.165.51
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.org
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\Windows\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\Windows\SYSTEM32\PCANotify.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Windows\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Windows\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Windows\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\Windows\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Reflection NFS Client (ReflectionNFS) - WRQ, Inc. - C:\Program Files\Reflection\rnnfserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Windows\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

Panda
////////////////////////////////////////////////////////////////////////////////////
Incident Status Location

Adware:Adware/Popuper No disinfected C:\RECYCLER\S-1-5-21-79331101-33040902-336618761-1316\Dc3.exeold
Virus:Trj/Clicker.HK Disinfected C:\WINDOWS\system32\msole32.exeold

[Advertisements]

Hi rankin

That is looking much better now, in fact just 1 more set of instructions to go. We need to do some general housekeeping on your system to tidy up after the work you have done.

First you have to clean out your temporary files:

• Boot into safe mode.
• Go >Start | Run | type cleanmgr | OK
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Click "OK" to remove them.
• Click "Yes" to confirm the deletion.

Restart your computer normally to return to normal mode.

Now you need to flush your system restore points of any infected system restores and create a new, clean one.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

This will flush the restores then make a new clean one.

After all that, just one more HJT log to make sure we have got it all sorted still.

UKBiker

[ukbiker]

Hi rankin

That is looking much better now, in fact just 1 more set of instructions to go. We need to do some general housekeeping on your system to tidy up after the work you have done.

First you have to clean out your temporary files:

• Boot into safe mode.
• Go >Start | Run | type cleanmgr | OK
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Click "OK" to remove them.
• Click "Yes" to confirm the deletion.

Restart your computer normally to return to normal mode.

Now you need to flush your system restore points of any infected system restores and create a new, clean one.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

This will flush the restores then make a new clean one.

After all that, just one more HJT log to make sure we have got it all sorted still.

UKBiker

[Rankin]

cheers mate, really appreciate the help!
amazing service you guys run, even working on it with whats going on back in London!
I will do that when I get in to work tomoz and I'll post the results..

Thanks again, Rankin

[ukbiker]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.