Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help in removing Remon.sys


  • Please log in to reply

#1
rupi

rupi

    New Member

  • Member
  • Pip
  • 9 posts
Hi,

I get repeated warnings on starting my laptop for remon.sys. I use CA etrust antivirus software. The infection is not getting cleared. Can someone please help me in removing the infection.

Any help will be greatly appreciated.

The log file of hijacktis is as below:
Logfile of HijackThis v1.99.1
Scan saved at 6:05:35 PM, on 10/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CA\UAM\Agents\cam.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\msstl.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\smsc.exe
C:\Program Files\iPass\iPassConnect Infosys\idialer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sparsh/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\Software\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\UAM\Agents\amagent.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emersonproce...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7138E98-95AA-484D-B6A9-5EE1CB922E57}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O20 - Winlogon Notify: gebby - C:\WINDOWS\SYSTEM32\gebby.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe



Thanks
rupi
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your reply.
No I have not been able to resolve the problem. I contacted CA etrust antivirus team but have not got a useful response.

The antivirus catches the virus everytime on starting the laptop but never removes it.

Can you please help me by listing the steps I need to do remove remon.sys file.

I have CA eTrust antivirus, Hijackthis, Adware free version installed. Do I need any other tools ? Because of the infection, I am finding it diffcult to install new software. So if possible please advise on how to get rid of this infection and then I will be able to install new software.

Thanks for your help.

rupi
  • 0

#4
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Just to add ot my previous reply:

I get Efewe.H virus warning from eTrust antivirus on starting up. The warning gives the remon.sys as infected file and gives a mesage that cure is completed and comp needs to reboot to complete the cure. BUt even after rebooting I get the same warning.
Also there is no change in the Log.
Thanks
  • 0

#5
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You will need to download a few programs. One is very small, the other is a larger download.

Download rdrivRem.zip and unzip it to your desktop, but do not run it yet.



Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.



Don't run either program yet. I need to see an updated Hijackthis log and then I'll post the fix.
  • 0

#6
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your update.
I have installed the two software mentioned by you but have not run them till now.

The latest hijackthis log file is given below:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:43 AM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CA\UAM\Agents\cam.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\msstl.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\CA\UAM\Agents\umclisvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\UAM\Agents\SWMSPWNT.EXE
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sparsh/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HYDWINSOCK01:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\Software\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ljhih.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\UAM\Agents\amagent.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emersonproce...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ljhih - C:\WINDOWS\System32\ljhih.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)

Please let me know the next steps.

Thanks
rupi
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
First you will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net...wnload/updates/


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Please follow these steps.

1.) Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Delete your temp files
  • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.

4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)


Close HiJackThis.

Reboot your computer into normal mode.

5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

6.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

#8
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Updates from my side:

1) Completed as specified. The contents of the file are:

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~



~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~



~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

2) Completed as specified. The log file is given below:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:37:36 PM, 10/12/2005
+ Report-Checksum: DC9463A3

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\TypeLib\\ -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{037C47A1-A5EB-4A81-82DD-7615EF5E7BEE}\TypeLib\\ -> Spyware.eZula : Cleaned with

backup
HKLM\SOFTWARE\Classes\Interface\{2531390A-1AA6-4F8D-8224-82808F81406E}\TypeLib\\ -> Spyware.eZula : Cleaned with

backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKU\S-1-5-21-1078081533-1563985344-1343024091-500\Software\Microsoft\Internet

Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@a.as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@ehg-siebel.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\data\Ravikumar_S\Cookies\ravikumar_s@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with

backup
C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with

backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@a.as-us.falkag[2].txt -> Spyware.Cookie.Falkag :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[2].txt ->

Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with

backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> Spyware.Cookie.Bluestreak :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> Spyware.Cookie.Casalemedia :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz3.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz4.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with

backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bskyb.hitbox[2].txt -> Spyware.Cookie.Hitbox :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-newsinternational.hitbox[2].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-newsinternational.hitbox[3].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-pizzahut.hitbox[1].txt -> Spyware.Cookie.Hitbox :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with

backup
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[1].txt -> Spyware.Cookie.Linksynergy :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> Spyware.Cookie.Overture :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@programs.wegcash[1].txt -> Spyware.Cookie.Wegcash :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> Spyware.Cookie.Questionmarket

: Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@servedby.advertising[1].txt ->

Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt ->

Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt -> Spyware.Cookie.Serving-sys :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned

with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[1].txt -> Spyware.Cookie.Valueclick :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon :

Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned

with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Q319243.COM.0.AVB -> TrojanDropper.Small.hx : Cleaned

with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned

with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned

with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@ehg-siebel.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned

with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with

backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with

backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with

backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@servedby.advertising[1].txt -> Spyware.Cookie.Advertising :

Cleaned with backup
C:\Documents and Settings\ravikumar_s\Cookies\ravikumar_s@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@2o7[3].txt -> Spyware.Cookie.2o7 : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ad.yieldmanager[2].txt ->

Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ads.pointroll[3].txt -> Spyware.Cookie.Pointroll :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@advertising[1].txt -> Spyware.Cookie.Advertising :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@advertising[2].txt -> Spyware.Cookie.Advertising :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@advertising[3].txt -> Spyware.Cookie.Advertising :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@as-us.falkag[1].txt -> Spyware.Cookie.Falkag :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@as-us.falkag[2].txt -> Spyware.Cookie.Falkag :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@atdmt[3].txt -> Spyware.Cookie.Atdmt : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@atdmt[4].txt -> Spyware.Cookie.Atdmt : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@bfast[3].txt -> Spyware.Cookie.Bfast : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@bluestreak[1].txt -> Spyware.Cookie.Bluestreak :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@bluestreak[2].txt -> Spyware.Cookie.Bluestreak :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@bs.serving-sys[3].txt -> Spyware.Cookie.Serving-sys

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@burstnet[2].txt -> Spyware.Cookie.Burstnet :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@burstnet[3].txt -> Spyware.Cookie.Burstnet :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@casalemedia[1].txt -> Spyware.Cookie.Casalemedia :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@casalemedia[2].txt -> Spyware.Cookie.Casalemedia :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@centrport[2].txt -> Spyware.Cookie.Centrport :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@centrport[3].txt -> Spyware.Cookie.Centrport :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@citi.bridgetrack[1].txt ->

Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@citi.bridgetrack[2].txt ->

Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@com[2].txt -> Spyware.Cookie.Com : Cleaned with

backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@data.coremetrics[1].txt ->

Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@data.coremetrics[2].txt ->

Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@dbs.advertising[1].txt ->

Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@doubleclick[1].txt -> Spyware.Cookie.Doubleclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@doubleclick[2].txt -> Spyware.Cookie.Doubleclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@doubleclick[3].txt -> Spyware.Cookie.Doubleclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@edge.ru4[3].txt -> Spyware.Cookie.Ru4 : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-bskyb.hitbox[2].txt -> Spyware.Cookie.Hitbox :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-cricinfo.hitbox[1].txt -> Spyware.Cookie.Hitbox

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-inforspaceinc.hitbox[2].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-knightridder.hitbox[2].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-newsinternational.hitbox[2].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-newsinternational.hitbox[3].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-nokiafin.hitbox[2].txt -> Spyware.Cookie.Hitbox

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-peoplesoft.hitbox[2].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-pizzahut.hitbox[1].txt -> Spyware.Cookie.Hitbox

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-pizzahut.hitbox[2].txt -> Spyware.Cookie.Hitbox

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ehg-webchutney.hitbox[1].txt ->

Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@fastclick[1].txt -> Spyware.Cookie.Fastclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@fastclick[2].txt -> Spyware.Cookie.Fastclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@fastclick[3].txt -> Spyware.Cookie.Fastclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@hitbox[3].txt -> Spyware.Cookie.Hitbox : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@mediaplex[1].txt -> Spyware.Cookie.Mediaplex :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@mediaplex[2].txt -> Spyware.Cookie.Mediaplex :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@mediaplex[3].txt -> Spyware.Cookie.Mediaplex :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@mt.valueclick[2].txt -> Spyware.Cookie.Valueclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@northwestairlines.112.2o7[1].txt ->

Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@overture[1].txt -> Spyware.Cookie.Overture :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@paypopup[1].txt -> Spyware.Cookie.Paypopup :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@perf.overture[1].txt -> Spyware.Cookie.Overture :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@phg.hitbox[1].txt -> Spyware.Cookie.Hitbox :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@phg.hitbox[3].txt -> Spyware.Cookie.Hitbox :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@popunder.paypopup[1].txt -> Spyware.Cookie.Paypopup

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@premiumnetworkrocks.valuead[2].txt ->

Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@pro-market[1].txt -> Spyware.Cookie.Pro-market :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@questionmarket[1].txt ->

Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@questionmarket[2].txt ->

Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@questionmarket[3].txt ->

Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned

with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@servedby.advertising[1].txt ->

Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@servedby.advertising[2].txt ->

Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@servedby.advertising[4].txt ->

Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@server.iad.liveperson[2].txt ->

Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@serving-sys[1].txt -> Spyware.Cookie.Serving-sys :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@serving-sys[3].txt -> Spyware.Cookie.Serving-sys :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@serving-sys[4].txt -> Spyware.Cookie.Serving-sys :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@stat.onestat[2].txt -> Spyware.Cookie.Onestat :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@statcounter[1].txt -> Spyware.Cookie.Statcounter :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@statcounter[2].txt -> Spyware.Cookie.Statcounter :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@statse.webtrendslive[1].txt ->

Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@statse.webtrendslive[3].txt ->

Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@targetnet[2].txt -> Spyware.Cookie.Targetnet :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@trafficmp[1].txt -> Spyware.Cookie.Trafficmp :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@trafficmp[2].txt -> Spyware.Cookie.Trafficmp :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@tribalfusion[3].txt -> Spyware.Cookie.Tribalfusion

: Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@valueclick[2].txt -> Spyware.Cookie.Valueclick :

Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@www.burstbeacon[1].txt ->

Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@z1.adserver[1].txt -> Spyware.Cookie.Adserver :

Cleaned with backup
C:\Program Files\ca\UAM\Agents\AMAGENT.EXE -> Worm.Bobic.k : Cleaned with backup
C:\Program Files\iPass\iPassConnect Infosys\backup\idialer.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\iPass\iPassConnect Infosys\idialer.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Modules\svccvt.exe -> TrojanDownloader.Small.nk : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@ehg-siebel.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\ravikumar_s\Cookies\ravikumar_s@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\WINDOWS\system32\MSNZX.EXE.0.AVB -> Backdoor.Codbot.ae : Cleaned with backup
C:\WINDOWS\system32\TFTP3056 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP388 -> Backdoor.Codbot.ag : Cleaned with backup


::Report End


3) Completed

4) Completed

5) I do not have a firewall, however my antivirus is still catching the same infection as before.

6) I ran Active scan, but the moment it found an infection, my CA eTrust antivrus shut down the scan. I could not save the

report but its had the following details:
adware: adware/ezula location - windows registry No disinfected.

I ran the other Trend micro scan and had the same issue. The moment it tried accessing remon.sys, my antivirus programm shut

it down.



7) The latest hijackthis report is given below:
Logfile of HijackThis v1.99.1
Scan saved at 3:13:30 PM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\msstl.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\sdjexec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sparsh/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HYDWINSOCK01:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\Software\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ljhih.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\UAM\Agents\amagent.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -

http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://emersonproce...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ljhih - C:\WINDOWS\System32\ljhih.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program

Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program

Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust

Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust

Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program

Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)






I still keep getting the win32.efewe.h virus in c:\windows\system32\remon.sys by my antivirus program. I appreciate your help

in resolving this.


Thanks
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Now you've got a Vundo infection showing in your log. We will need a couple more tools for this one also.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINDOWS\System32\ljhih.dll

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\System32\hihjl.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:


    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ljhih.dll
    O20 - Winlogon Notify: ljhih - C:\WINDOWS\System32\ljhih.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#10
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your update.

A new problem has ocme up, because of all teh operations I did yesterday, I am not able to connect to the internet now.
While connecting to a LAN in my office, it gives that no IP is getting retrieved. I tried dial up as well but oculd not connect.

I cannot carry put the steps mentioned by you unless I connect my laptop to the internet. Can you help me with this issue? Is it related to the infection on my machine.

Thanks
  • 0

Advertisements


#11
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I completed teh steps for fixing vundo as mentioned. However while running hijackthis, I did not find the O2 and O20 entries.

I cannot run active scan from my machin as it will conflict with Etrust antivirus and will be stopped by my antivirus program. I tried this wtice yesterday but no help.

The latest hijackthis log is as given below:
Logfile of HijackThis v1.99.1
Scan saved at 1:53:00 PM, on 10/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\msstl.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\CA\UAM\Agents\umclisvc.exe
C:\Program Files\iPass\iPassConnect Infosys\idialer.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\sdjexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\UAM\Agents\UMISWW32.EXE
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sparsh/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\Software\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\UAM\Agents\amagent.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emersonproce...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7138E98-95AA-484D-B6A9-5EE1CB922E57}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ljhih - C:\WINDOWS\System32\ljhih.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)



The vundifix.exe file details are below:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 156 'smss.exe'
Threads [160][164][168]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 712 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 232 'winlogon.exe'
Killing PID 232 'winlogon.exe'
Killing PID 232 'winlogon.exe'
Killing PID 232 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


I am still not able to connect to the Internet form my laptop. Could it be because I deleted a file while running Ewido yesterday. Please help me restore net connection from my laptop.

Thanks
rupi
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
The good news is that Vundo is gone. The bad news is that I'm not sure what caused you to lose your connection. But there's a few things that we can try.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



If that doesn't work, download Winsock XP Fix from another computer. Put it onto a disc or USB stick and move it over to your laptop and run it.



Assuming one of those gets you back to the Internet again, can you tell me what this line on your hijackthis log refers to?

O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe

It is suspicious to me, just because it's unknown. Can you shed any light?


Let me know about your connection also.
  • 0

#13
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your persistence and help. This [bleep] thing has alreday taken up so much of time.

I just googled for msstl.exe and it seems to be some sort of trojan similar to remon.sys.

I am able to use dial up now as i restored some file from ewido scan and it started working but nt my LAN connection. Could something have been deleted by ewido?

Also i keep getting the remon.sys warning. I tried deleting the file in safe mode but it reappeared on normal bootup. I also cannot find any registry entries for remon.sys.

Please help me in remving these two infections now.

Thanks for your help.

rupi
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please print out these instructions as much of this will have to be carried out in Safe mode.


Please download Stinger but don't run it quite yet.


=========


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O20 - Winlogon Notify: ljhih - C:\WINDOWS\System32\ljhih.dll (file missing)
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)



==========


Click Start -> Run -> (type) services.msc

Scroll down and find the service called BusinessC When you find it, double-click on it. In the next window that opens, click the Stop button(if available), then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Do the same thing with System Manager Service


Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

BusinessContinuity and then SMSC


==========


Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • For more info on how to show hidden files click here.

==========


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

===========


Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.


===========


Run Stinger. If it finds anything, please save the log and post it in your next reply.


===========


Run a full scan with Ewido. Please save the log after the scan and post it in your next reply.


===========


Delete these files, if present.

C:\WINDOWS\msstl.exe
C:\WINDOWS\smsc.exe


===========


Delete your temp files
  • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.

============


Reboot back to normal mode. Please post a new hijackthis log, the log from Ewido, the log from rdrivRem, and the log from Stinger(if there is one).
  • 0

#15
rupi

rupi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

I completed at the steps and it seems to have improved the situation. The log files are attached below:

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 1:07:34 PM, on 10/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\CA\UAM\Agents\cam.exe
C:\Program Files\CA\UAM\Agents\camclose.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sparsh/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HYDWINSOCK01:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\Software\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\UAM\Agents\amagent.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\Software\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emersonproce...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE



Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:58:26 PM, 10/14/2005
+ Report-Checksum: F4E18E06

+ Scan result:

C:\Program Files\ca\UAM\Agents\AMAGENT.EXE -> Worm.Bobic.k : Ignored
C:\Program Files\iPass\iPassConnect Infosys\backup\idialer.exe -> Heuristic.Win32.Dialer : Ignored
C:\Program Files\iPass\iPassConnect Infosys\idialer.exe -> Heuristic.Win32.Dialer : Ignored
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ad.adocean[1].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\rupinder_kahlon\Cookies\rupinder_kahlon@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\system32\TFTP3056 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP388 -> Backdoor.Codbot.ag : Cleaned with backup


::Report End


Rdrivrem Log

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~



~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~



~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~



~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~


Stinger Log

McAfee AVERT Stinger Version 2.5.8 built on Oct 5 2005

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Oct 5 2005.

Ready to scan for 54 viruses, trojans and variants.



Scan initiated on Fri Oct 14 09:48:37 2005

C:\WINDOWS\system32\i

Found the W32/Sdbot.worm!ftp virus !!!

C:\WINDOWS\system32\i has been deleted.

C:\WINDOWS\system32\MSNZX.EXE.0.AVB

Found the W32/Sdbot.worm.gen.w virus !!!

C:\WINDOWS\system32\MSNZX.EXE.0.AVB has been deleted.

Number of clean files: 207894

Number of infected files: 2

Number of files deleted: 2





While connecting to the LAN it says that 'Failed to query TCP/IP settings of the connection. Cannot proceed' I think it is because ewido deleted some file.

Is the infection cleared from my machin? How can I prevent it in teh future?

Thanks for your help.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP