Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rdriv.sys refusing to go [RESOLVED]

Started by DJBenz , Aug 15 2005 05:30 PM

  • This topic is locked This topic is locked

#16
coachwife6
Posted 19 August 2005 - 04:08 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You're doing great.

Please read this link.

http://vil.nai.com/v...nt/v_101028.htm

Does this look familiar? You may want to contact your bank just to be on the safe side.
  • 0

Advertisements

#17
coachwife6
Posted 19 August 2005 - 07:38 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
thatman also suggested we do this:

Please download and run blacklite
F-Secure Blacklight: http://www.f-secure....light/try.shtml
leave [X]scan through windows explorer checked,
click > scan then > If any items are found click > next,

After you have rebooted post back with a fresh hijackthis log please

How to use F-Secure Blacklight
http://www.europe.f-...lacklight/help/
  • 0

#18
DJBenz
Posted 19 August 2005 - 02:16 PM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 21:10:18, on 19/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\UGSPLM\I-DEAS11\sec\eds_id11.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Office Mouse\moffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\updater.pif
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: n127.0.0.1 www.symantec.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\5.tmp
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124040838625
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C51961-3736-48B6-9BCE-E0BB58FEE0BB}: NameServer = 83.146.21.5 83.146.21.6
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: FLEXlm License Manager - Unknown owner - C:\EDS\I-DEAS10\sec\lmgrd.exe (file missing)
O23 - Service: I-DEAS License Manager 11.0 - GLOBEtrotter Software Inc. - C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing)
O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing)
O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing)
O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

EWIDO Log

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:  	19:55:59, 19/08/2005
 + Report-Checksum:  8BEA2665

 + Scan result:

	:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
	:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
	:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
	:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
	:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
	:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
	:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
	:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
	:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
	:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
	:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
	:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
	:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
	:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
	:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
	:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
	:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
	:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
	:mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.102:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.103:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.108:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.109:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.111:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.112:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.113:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
	:mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
	:mozilla.130:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
	:mozilla.227:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
	:mozilla.228:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
	:mozilla.240:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
	:mozilla.243:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
	:mozilla.244:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
	:mozilla.245:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
	:mozilla.250:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
	:mozilla.260:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
	:mozilla.261:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
	:mozilla.262:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
	:mozilla.263:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
	:mozilla.264:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
	:mozilla.275:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
	:mozilla.307:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
	:mozilla.317:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
	:mozilla.318:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
	:mozilla.319:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
	:mozilla.320:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
	:mozilla.333:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
	:mozilla.369:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.370:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.371:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.381:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.392:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.393:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.394:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.395:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.396:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.397:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.398:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.399:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.400:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
	:mozilla.401:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
	:mozilla.402:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
	:mozilla.413:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.414:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.415:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.416:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.417:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.418:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
	:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
	:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
	:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	:mozilla.6:C:\Documents and Settings\Administrator\My Documents\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
	:mozilla.7:C:\Documents and Settings\Administrator\My Documents\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
	C:\WINNT\system32\wpa.exe -> Backdoor.IRCBot.ex : Cleaned with backup


::Report End

Rdrivrem log

      ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ 

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


      ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ 

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

Still cannot connect to Activescan. During the housecall scan, AVG picked up a trojan and deleted it.

WPA.exe has returned to the HJT log despite being checked for fixing previously....

Blacklight scan is clean.
  • 0

#19
coachwife6
Posted 20 August 2005 - 04:38 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi DJ. I'm copying and pasting the log. It's easier to read. Please don't place it in code. I'm too old and my eyes aren't that good. Thanks. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 21:10:18, on 19/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\UGSPLM\I-DEAS11\sec\eds_id11.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Office Mouse\moffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\updater.pif
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: n127.0.0.1 www.symantec.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\5.tmp
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124040838625
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C51961-3736-48B6-9BCE-E0BB58FEE0BB}: NameServer = 83.146.21.5 83.146.21.6
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: FLEXlm License Manager - Unknown owner - C:\EDS\I-DEAS10\sec\lmgrd.exe (file missing)
O23 - Service: I-DEAS License Manager 11.0 - GLOBEtrotter Software Inc. - C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing)
O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing)
O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing)
O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:55:59, 19/08/2005
+ Report-Checksum: 8BEA2665

+ Scan result:

:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.307:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.317:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.320:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
:mozilla.369:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.370:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.371:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.381:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.393:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.394:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.395:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.396:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.397:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.398:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.401:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.402:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.413:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.415:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.416:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.417:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.418:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.1gf\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Administrator\My Documents\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\My Documents\Thunderbird\Profiles\default.hom\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
C:\WINNT\system32\wpa.exe -> Backdoor.IRCBot.ex : Cleaned with backup


::Report End
  • 0

#20
coachwife6
Posted 20 August 2005 - 05:10 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Could you open up Hijackthis>>Config>>Misc Tools>>Open Hosts File Manager
Your Hosts file should look like this in quotes unless you manually added a custom Host file


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost



This trojan will rewrite your host file to add entries such as this in bold
127.0.0.1 www.symantec.com
Not allowing you to access AV websites
If this is the case could you Highlight any line BELOW
127.0.0.1 localhost <--don't delete this line
and use the Delete Line(s) button to remove the line

Do another scan with Hijackthis and put a check next to these entries

O1 - Hosts: n127.0.0.1 www.symantec.com

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\5.tmp
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif

O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINNT\system32\5.tmp
updater.pif

Restart back into Normal Mode. Post back with a fresh hijackthis log and a silent runners log.

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.



et me know how things are running....
  • 0

#21
DJBenz
Posted 21 August 2005 - 02:46 PM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
OK, I looked at the hosts file and it is exactly as it should be. The only modification is one I made, adding an IP and host name of my PC to identify it to my router (currently I'm not using the router as it is being replaced).

5.tmp was not found. Nor was updater.pif but I found a shortcut to 'updater' which threw up an error message if I tried to find the program it was pointing to, so I deleted it.

Latest HJT log (023......wpa.exe still present)

Logfile of HijackThis v1.99.1
Scan saved at 21:33:42, on 21/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\UGSPLM\I-DEAS11\sec\eds_id11.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\svchost.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124040838625
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: FLEXlm License Manager - Unknown owner - C:\EDS\I-DEAS10\sec\lmgrd.exe (file missing)
O23 - Service: I-DEAS License Manager 11.0 - GLOBEtrotter Software Inc. - C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing)
O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing)
O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing)
O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

Silent Runners Log:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"NBJ" = ""C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"(Default)" = (empty string)
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\My Documents\My Pictures\ryan & dinosaurs med.jpg"


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"CAMEDIA Master" -> shortcut to: "C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe" ["OLYMPUS OPTICAL CO.,LTD."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08
%SystemRoot%\system32\msafd.dll [MS], 03 - 05, 09 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]


HOSTS file
----------

C:\WINNT\System32\drivers\etc\HOSTS

maps: 49 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
I-DEAS License Manager 11.0, I-DEAS License Manager 11.0, "C:\UGSPLM\I-DEAS11\sec\lmgrd.exe" ["GLOBEtrotter Software Inc."]
IT iona_services.config_rep.bensonpc cfr-MyDomain, IT iona_services.config_rep.bensonpc cfr-MyDomain, ""C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start" ["IONA Technologies"]

Please note, when Silent Runnings had completed its scan it gave this error:

Posted Image

I don't know if that's significant.

Edited by DJBenz, 21 August 2005 - 03:41 PM.

  • 0

#22
DJBenz
Posted 22 August 2005 - 04:04 AM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Some potentially good news. My router replacement came today (old one was faulty), so now I should be able to connect to the internet if I choose "Safe mode with networking" and do an ActiveScan?
  • 0

#23
coachwife6
Posted 22 August 2005 - 04:08 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I was going to ask Michelle and thatman to look at your log today and make sure we are on the right track. I will be back in touch later this a.m. Have a great Monday. :tazz:
  • 0

#24
coachwife6
Posted 22 August 2005 - 08:11 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Thatman gave me some great instructions. He is awesome. :)

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Windows Product Activation (wpa)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

The following can be checked in hijack this but please read first.

It's possible that the following are secure downloads and upload software for tranfering large files. This item below is some sort of open source may be Java or visual basic, best that you uninstall this application if you use or need the software he will have to reinstall some of the links are missing.

O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing)

O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing)

O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing)

O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing)[/B]

Click on Fix Checked when finished and exit HijackThis.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINNT\system32\wpa.exe

Reboot and post a new log. Thanks thatman. :tazz:
  • 0

#25
DJBenz
Posted 22 August 2005 - 08:20 AM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

The following can be checked in hijack this but please read first.

It's possible that the following are secure downloads and upload software for tranfering large files. This item below is some sort of open source may be Java or visual basic, best that you uninstall this application if you use or need the software he will have to reinstall some of the links are missing.

O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing)

O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing)

O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing)

O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing)[/B]

Click on Fix Checked when finished and exit HijackThis.


These services are for the license Daemon for my CAD (Computer Aided Design) Software. I am confident that they are not rogue services, and they match the same services running on my work machine where I use the same software. If needs be I can uninstall the software but it would be a major PITA. (6 CD's to re-install!) :tazz:

Edited by DJBenz, 22 August 2005 - 08:21 AM.

  • 0

Advertisements

#26
coachwife6
Posted 22 August 2005 - 08:52 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Leave them for now then, but they do have files missing.
  • 0

#27
DJBenz
Posted 22 August 2005 - 09:03 AM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

Leave them for now then, but they do have files missing.

View Post


Probably been mistakenly removed by a spyware program. :tazz:
  • 0

#28
DJBenz
Posted 22 August 2005 - 12:59 PM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I fear we may now be at a dead-end and a clean install may be the only way forward.

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 19:55:32, on 22/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\UGSPLM\I-DEAS11\sec\eds_id11.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\svchost.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124040838625
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C51961-3736-48B6-9BCE-E0BB58FEE0BB}: NameServer = 83.146.21.5 83.146.21.6
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: FLEXlm License Manager - Unknown owner - C:\EDS\I-DEAS10\sec\lmgrd.exe (file missing)
O23 - Service: I-DEAS License Manager 11.0 - GLOBEtrotter Software Inc. - C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing)
O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing)
O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing)
O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

The wpa.exe service is gone (because it is disabled), but it is still present in services.msc (if it is running, HJT cannot fix it - if it's disabled HJT doesn't find it.) I still cannot connect to Activescan or Amazon.
  • 0

#29
coachwife6
Posted 22 August 2005 - 01:04 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
We can fix this. Don't give up.

I am going to have thatman handle you directly. He is one of the best on the board.
  • 0

#30
DJBenz
Posted 22 August 2005 - 01:31 PM

DJBenz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

We can fix this. Don't give up.

I am going to have thatman handle you directly. He is one of the best on the board.

View Post


Thankyou sincerely for your help this far. I really couldn't have hoped to get anywhere near the stage I'm at without it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP