Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Sneaky malware program [resolved]

Started by horizvert , Aug 30 2005 05:01 PM

  • This topic is locked This topic is locked

#1
horizvert
Posted 30 August 2005 - 05:01 PM

horizvert

    New Member

  • Member
  • Pip
  • 8 posts
I posted on here about 3 weeks ago when I was unable to run Hijack this. What was happening was each time I put the program on my USB key and put the key in my infected computer, Hijackthis would vanish.

I finally traced the problem to a trojaned McAfee binary. I removed the Mcafee installation and now do not have the problem. Here is my new HijackThis log. I would appreciate any assistance from the experts on here. You guys / girls do a wonderful service to the community at large...

Here is the Log File.

Logfile of HijackThis v1.99.1
Scan saved at 6:49:24 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\SYSTEM32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINXP\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\WINXP\RCSERV.EXE
C:\dmi\win32\bin\Win32sl.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINXP\System32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7ED11B12-A6F5-B554-D71D-D21855F090BD} - C:\WINXP\System32\lwakteiq.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINXP\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O14 - IERESET.INF: START_PAGE_URL=http://intraweb.bcbsnc.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\Software\..\Telephony: DomainName = bcbsnc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0A072E-9DD4-4789-B9BA-03B35F49A6D3}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{759E8A6B-6575-417D-87B0-A9AC3996219B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6038660-064D-4CF4-BBF1-B17896B756C0}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D804FB5F-1BDC-4FF8-9916-7C10504D3BA6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bcbsnc.com
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CWShredder Service - InterMute, Inc. - E:\CWShredder.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NetIQ Endpoint (NetIQEndpoint) - NetIQ Corporation - C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
O23 - Service: OracleOHOME1ClientCache - Unknown owner - c:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\Program Files\Tivoli\lcf\..\swdis\WebUI\swdres.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINXP\RCSERV.EXE
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
  • 0

Advertisements

#2
g2i2r4
Posted 31 August 2005 - 01:40 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome horizvert to Geeks to Go!

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#3
horizvert
Posted 02 September 2005 - 03:57 PM

horizvert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"ttupt" = "C:\WINXP\ttupt.exe" [file not found]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"hclean32.exe" = "C:\WINXP\System32\hclean32.exe" [null data]
"dmpbs.exe" = "C:\WINXP\System32\dmpbs.exe" [file not found]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{7ED11B12-A6F5-B554-D71D-D21855F090BD}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\System32\lwakteiq.dll" [null data]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{475A9681-F01B-11d5-BC5E-0050CE184C9B}" = "CrimsonEditor.ShellExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Crimson Editor\ShellExt.dll" [null data]
"{D22EEBED-2C4E-461E-AF60-098CF04ABBFA}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\system32\lurt.dll" [file not found]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csphw.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Crimson Editor\(Default) = "{475A9681-F01B-11d5-BC5E-0050CE184C9B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Crimson Editor\ShellExt.dll" [null data]
gynsgggy\(Default) = "{93513054-b959-4e6a-ae0d-47c3e9f51463}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\System32\danrd.dll" [file not found]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINXP\Web\Wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINXP\System32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"Trillian" -> shortcut to: "C:\Program Files\Trillian\trillian.exe" ["Cerulean Studios"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"BlueSoleil" -> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]
"Configuration Utility" -> shortcut to: "C:\Program Files\Compaq\Compaq 11 Mbps Wireless PC Card\Config.exe" ["Neesus Datacom Inc."]
"GroupWise Notify" -> shortcut to: "C:\Novell\GroupWise\Notify.exe" ["Novell, Inc."]
"RaConfig2500" -> shortcut to: "C:\WINXP\system32\RaConfig2500.exe" ["Ralink Technology, Corp."]


Enabled Scheduled Tasks:
------------------------

"RUTASK" -> launches: "C:\WINXP\ru.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINXP\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://intraweb.bcbsnc.com

Missing lines (compared with English-language version):
[Strings]: 1 line


HOSTS file
----------

C:\WINXP\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ActionAgent, ActionAgent, "C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe" ["Dell Computer Corporation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINXP\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
DellDmi, DellDmi, "C:\DMI\WIN32\bin\DellDmi.exe" ["Dell Computer Corporation"]
DEventAgent, DEventAgent, "C:\Program Files\Dell\OpenManage\Client\EventAgt.exe" ["Dell Computer Corporation"]
DLT, DLT, "C:\Program Files\Dell\OpenManage\Client\DLT.exe" ["Dell Computer Corporation"]
Iap, Iap, "C:\Program Files\Dell\OpenManage\Client\Iap.exe" ["Dell Computer Corporation"]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
NetIQ Endpoint, NetIQEndpoint, "C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe" ["NetIQ Corporation"]
PostgreSQL Database Server 8.0, pgsql-8.0, "C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe runservice -N "pgsql-8.0" -D "C:\Program Files\PostgreSQL\8.0\data\"" ["PostgreSQL Global Development Group"]
Tivoli Endpoint, lcfd, ""C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE"" [null data]
Tivoli Remote Control Service, TME10RC, "C:\WINXP\RCSERV.EXE" ["TIVOLI Systems"]
Win32Sl, Win32Sl, "C:\dmi\win32\bin\Win32sl.exe" ["Intel"]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "keyex2" ["International Business Machines, Corp."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 42 seconds, including 19 seconds for message boxes)
  • 0

#4
g2i2r4
Posted 02 September 2005 - 04:42 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Ok this will take a few steps.

Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt

  • 0

#5
horizvert
Posted 04 September 2005 - 05:21 PM

horizvert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINXP\system32\eccs.exe: UPX!
C:\WINXP\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINXP\ru.exe: UPX!
Finished
bye
  • 0

#6
g2i2r4
Posted 05 September 2005 - 12:32 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gynsgggy]

[-HKEY_CLASSES_ROOT\CLSID\{93513054-b959-4e6a-ae0d-47c3e9f51463}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the regfix must look after you created it: Posted Image
Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINXP\System32\danrd.dll
C:\WINXP\System32\lwakteiq.dll
C:\WINXP\System32\dmpbs.exe
C:\WINXP\System32\hclean32.exe
C:\WINXP\ttupt.exe
C:\WINXP\system32\eccs.exe
C:\WINXP\ru.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

please open Start> Run and type MSConfig in the 'Run' box. When the System Configuration Utility opens, go to the 'Startup Tab' and make sure there is a checkmark beside each entry. Then the general tab should have the "normal startup" option checked. REBOOT when asked to by Windows to complete the change

After completing the above please scan again with HJT and POST a new HJT log.
  • 0

#7
horizvert
Posted 06 September 2005 - 04:19 PM

horizvert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:13:30 PM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\SYSTEM32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINXP\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\WINXP\RCSERV.EXE
C:\dmi\win32\bin\Win32sl.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Compaq\Compaq 11 Mbps Wireless PC Card\Config.exe
C:\WINXP\system32\RaConfig2500.exe
C:\Program Files\Trillian\trillian.exe
C:\WINXP\SYSTEM32\userinit.exe
C:\WINXP\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7ED11B12-A6F5-B554-D71D-D21855F090BD} - C:\WINXP\System32\lwakteiq.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ttupt] C:\WINXP\ttupt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hclean32.exe] C:\WINXP\System32\hclean32.exe
O4 - HKLM\..\Run: [dmpbs.exe] C:\WINXP\System32\dmpbs.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless PC Card\Config.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: RaConfig2500.lnk = C:\WINXP\system32\RaConfig2500.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intraweb.bcbsnc.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125450696719
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125451317780
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\Software\..\Telephony: DomainName = bcbsnc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0A072E-9DD4-4789-B9BA-03B35F49A6D3}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{759E8A6B-6575-417D-87B0-A9AC3996219B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6038660-064D-4CF4-BBF1-B17896B756C0}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D804FB5F-1BDC-4FF8-9916-7C10504D3BA6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcbsnc.com
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CWShredder Service - Unknown owner - E:\CWShredder.exe (file missing)
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NetIQ Endpoint (NetIQEndpoint) - NetIQ Corporation - C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
O23 - Service: OracleOHOME1ClientCache - Unknown owner - c:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\Program Files\Tivoli\lcf\..\swdis\WebUI\swdres.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINXP\RCSERV.EXE
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
  • 0

#8
g2i2r4
Posted 06 September 2005 - 05:42 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I see you use the HSRemove site. I don't recall advising you to do so. Are you receiving help at another forum too?
  • 0

#9
horizvert
Posted 07 September 2005 - 11:18 AM

horizvert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
No, I am not receiving any other help from any other forum. I have been explicit with following your directions.

The same entry in my recent hijackthis log was present in my initial hijackthis log. So this must be left over from my earlier attempts to remedy the situation.


dw

Edited by horizvert, 07 September 2005 - 11:22 AM.

  • 0

#10
g2i2r4
Posted 07 September 2005 - 02:26 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm asking this very explicite because some user do try to get help at various sites.
One helper can ask you then to do this and I would ask you to do that. We could be interfering with eachother, leaving you with the pieces.

-------

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {7ED11B12-A6F5-B554-D71D-D21855F090BD} - C:\WINXP\System32\lwakteiq.dll (file missing)

O4 - HKLM\..\Run: [ttupt] C:\WINXP\ttupt.exe

O4 - HKLM\..\Run: [hclean32.exe] C:\WINXP\System32\hclean32.exe

O4 - HKLM\..\Run: [dmpbs.exe] C:\WINXP\System32\dmpbs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0A072E-9DD4-4789-B9BA-03B35F49A6D3}:
NameServer = 69.50.176.198,85.255.112.12

O17 - HKLM\System\CCS\Services\Tcpip\..\{759E8A6B-6575-417D-87B0-A9AC3996219B}: NameServer = 69.50.176.198,85.255.112.12

O17 - HKLM\System\CCS\Services\Tcpip\..\{D6038660-064D-4CF4-BBF1-B17896B756C0}: NameServer = 69.50.176.198,85.255.112.12

O17 - HKLM\System\CCS\Services\Tcpip\..\{D804FB5F-1BDC-4FF8-9916-7C10504D3BA6}: NameServer = 69.50.176.198,85.255.112.12

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

****

Download the Hoster Here
Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
***

Reboot the computer. Post me a fresh HijackThis log.
Is the computer running ok now?
  • 0

#11
horizvert
Posted 07 September 2005 - 07:42 PM

horizvert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:36:46 PM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\SYSTEM32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINXP\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\WINXP\RCSERV.EXE
C:\dmi\win32\bin\Win32sl.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Compaq\Compaq 11 Mbps Wireless PC Card\Config.exe
C:\WINXP\system32\RaConfig2500.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless PC Card\Config.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: RaConfig2500.lnk = C:\WINXP\system32\RaConfig2500.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intraweb.bcbsnc.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125450696719
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125451317780
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\Software\..\Telephony: DomainName = bcbsnc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcbsnc.com
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CWShredder Service - Unknown owner - E:\CWShredder.exe (file missing)
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NetIQ Endpoint (NetIQEndpoint) - NetIQ Corporation - C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
O23 - Service: OracleOHOME1ClientCache - Unknown owner - c:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\Program Files\Tivoli\lcf\..\swdis\WebUI\swdres.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINXP\RCSERV.EXE
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
  • 0

#12
g2i2r4
Posted 08 September 2005 - 05:36 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
The log look clean to me.

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?
  • 0

#13
horizvert
Posted 12 September 2005 - 02:01 PM

horizvert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
g2i2r4,

Yes, I am not having any more instances of malware or strange behaviour. Thank you for your help.

HorizVert
  • 0

#14
g2i2r4
Posted 12 September 2005 - 03:53 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thank you for the feedback :tazz:

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Re-enable system restore with the instructions from the tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & Hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP