Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

0dp.com, xbloom.com popups [CLOSED]

Started by ikoncenter , Aug 19 2005 12:03 PM

  • This topic is locked This topic is locked

#31
Daemon
Posted 20 August 2005 - 03:36 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
It's not worked. We need to stop the epolvy trojan so that we can get rid of this - it morphs with each reboot. You can see it in your log as it has r after the entry. I think this one is an orphan:

O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\wmyvlew.exe r

However this one is still active:

O4 - HKLM\..\Run: [fdvubb] C:\WINNT\system32\tjgxbaw.exe r

Run Process Explorer and find tjgxbaw.exe in the list of Processes. Select the process and click Process > Suspend.

Then open HijackThis, click Config > Misc Tools > Delete a file on reboot... In the explorer Window select c:\windows\system32\tjgxbaw.exe When prompted if you want to reboot click YES

Important - leave Process Explorer running with the process suspended through the reboot.

Have it reboot into Safe Mode by tapping F8 after the BIOS has loaded. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Reboot into Normal Mode when done, rescan with HJT and post a new log here.
  • 0

Advertisements

#32
ikoncenter
Posted 20 August 2005 - 04:02 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:07:23 PM, on 8/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ikoncenter.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\wmyvlew.exe r
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Office\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [fdvubb] C:\WINNT\system32\tjgxbaw.exe r
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ikon.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ikon.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ikon.local
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\b2ZmaWNl\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#33
ikoncenter
Posted 20 August 2005 - 04:09 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I'm going to have to call it good for today. I don't think that there is anyone else here to take care of this at the moment, and this is my last day here, so I am not sure if they will continue to work on this problem or not. I will get with them to see if there is someone to continue. Thank you so far for your help.
  • 0

#34
Daemon
Posted 20 August 2005 - 04:13 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, we are nearly there. With only HJT running, have it fix:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\wmyvlew.exe r
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Office\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [fdvubb] C:\WINNT\system32\tjgxbaw.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\b2ZmaWNl\command.exe (file missing)

Reboot and post a new HJT log.

Your last day - not sure I follow what you are saying?
  • 0

#35
ikoncenter
Posted 20 August 2005 - 04:19 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I am working here at the IKON Center, this is where we are having the computer troubles. The things is, is that this is my last day working here. I don't think there is anyone who is able to continue working on this. I have no idea what they are going to do. They might find someone.
  • 0

#36
Daemon
Posted 20 August 2005 - 04:21 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Ah OK. Well, if you just follow my last post there may well be nothing more to do as I think we have broken the back of it.
  • 0

#37
ikoncenter
Posted 20 August 2005 - 04:23 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I will finish this one out.
  • 0

#38
ikoncenter
Posted 20 August 2005 - 04:27 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:30:35 PM, on 8/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ikoncenter.com/index.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ikon.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ikon.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ikon.local
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\b2ZmaWNl\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#39
Daemon
Posted 20 August 2005 - 04:30 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
One more step ikoncenter, go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "Command Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Post a new HJT log.
  • 0

#40
ikoncenter
Posted 20 August 2005 - 04:32 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
The only button available to push is start. I'm still having a problem with pop-ups. They are coming up even with out a browser window open.

The Aurora program is also still there and active.

Edited by ikoncenter, 20 August 2005 - 04:36 PM.

  • 0

Advertisements

#41
Daemon
Posted 20 August 2005 - 04:37 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm... Click here to download ServiceFilter, a little script by rand1038 that reveals potential unauthorised running services in your system. Download, unzip and double-click ServiceFilter.vbs (you may need to enable your antivirus program to run the file). This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
  • 0

#42
ikoncenter
Posted 20 August 2005 - 04:39 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Aug 20, 2005 4:44:31 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: cmdService
Display Name: Command Service
Start Mode: Disabled
Start Name: LocalSystem
Description: Command ...
Service Type: Own Process
Path: c:\winnt\b2zmawnl\command.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: ewido security suite control
Display Name: ewido security suite control
Start Mode: Auto
Start Name: LocalSystem
Description: ewido security suite ...
Service Type: Own Process
Path: c:\program files\ewido\security suite\ewidoctrl.exe
State: Start Pending
Process ID: 524
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 58 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 1.683594 seconds.
  • 0

#43
Daemon
Posted 20 August 2005 - 04:50 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Opem HijackThis>Config...>Misc Tools>delete an NT Service

enter this: cmdService

and OK your way out. Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread with a new HJT log.
  • 0

#44
ikoncenter
Posted 20 August 2005 - 04:57 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"sto32_" = "C:\WINNT\system32\sto32_.exe" [file not found]
"aaaaks" = "C:\WINNT\system32\aaaaks.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PopUpStopperFreeEdition" = ""C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"" ["Panicware, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"JobHisInit" = "C:\Program Files\RMClient\JobHisInit.exe" [empty string]
"MplSetUp" = "C:\Program Files\RMClient\MplSetUp.exe" ["RICOH CO.,LTD."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{94D8F8FB-8742-4792-AD02-C35CBE60C2CD}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dhfolder.dll" [file not found]
"{DF631DFB-9AF3-4D68-B3AE-28B6C87DE83C}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\tnaffic.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{CAB81DA3-8DBF-42B4-957F-B33C320DF176}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\guard.tmp" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
gxtqnfxt\(Default) = "{332266dd-9a7d-429f-bf85-1b2378e3504b}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\daobn.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\My Documents\My Pictures\Im000745.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssmarque.scr" [MS]


Startup items in "office" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"IMG_1211" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1211.JPG" [file not found]
"IMG_1219" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1219.JPG" [file not found]
"IMG_1227" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1227.JPG" [file not found]
"IMG_1232" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1232.JPG" [file not found]
"IMG_1246" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1246.JPG" [file not found]
"IMG_1248" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1248.JPG" [file not found]
"IMG_1253" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1253.JPG" [file not found]
"IMG_1258" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1258.JPG" [file not found]
"IMG_1261" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1261.JPG" [file not found]
"IMG_1262" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1262.JPG" [file not found]
"IMG_1263" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1263.JPG" [file not found]
"IMG_1264" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1264.JPG" [file not found]
"IMG_1266" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1266.JPG" [file not found]
"IMG_1268" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1268.JPG" [file not found]
"IMG_1271" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1271.JPG" [file not found]
"IMG_1272" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1272.JPG" [file not found]
"IMG_1273" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1273.JPG" [file not found]
"IMG_1274" -> launches: "C:\Documents and Settings\Mandy\Desktop\Pictures\IMG_1274.JPG" [file not found]
"RUTASK" -> launches: "C:\WINNT\ru.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{79406F24-8E95-4AF8-9FEF-2EA2B504E707}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINNT\eltt.dll" [empty string]

HKLM\Software\Classes\CLSID\{8F7D96AA-489A-4194-AB34-21EF42507932}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINNT\eltt.dll" [empty string]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 28 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 72 seconds)

Edited by ikoncenter, 20 August 2005 - 04:58 PM.

  • 0

#45
ikoncenter
Posted 20 August 2005 - 04:59 PM

ikoncenter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:04:26 PM, on 8/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ikoncenter.com/index.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ikon.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ikon.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ikon.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP