Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE settings - http://www.findthewebsiteyouneed.com/ [RESOLVED]


  • This topic is locked This topic is locked

#1
Ike74

Ike74

    New Member

  • Member
  • Pip
  • 4 posts
Dear Support Team;

Good day! I have browsed into several issues like this. I recently encountered the problem and would like to seek your technical advise on how to fix this properly. Since the problem started, I also encounter frequent / unwanted "system reset". This could happen anytime and very anoying. I don't know if this is related to the initial problem I indicated above.

Here's the HiJackThis log for your reference. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 09:44:16, on 2005-11-17
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\explorer.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\FiveSAlerter.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\kzwi\kzwim.exe
C:\1EBL_files\PsnLite.exe
C:\Program Files\Accessories\WordWeb\wweb32.exe
C:\1EBL_F~1\PSNGive.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Notes\nlnotes.exe
C:\Program Files\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\phg02925.CODE1\My Documents\Myfiles\Personal\Tools_Softwares\My_tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pww.clb.sc.philips.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = latam02.pixs.philips.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = latam02.pixs.philips.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.philips.com; http://137.55.48.82; http://137.55.48.77; ;<local>
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O1 - Hosts: 137.55.48.52 mes.clb.sc.philips.com
O1 - Hosts: 137.55.34.47 mak001m
O1 - Hosts: 137.55.34.49 mak002m
O1 - Hosts: 137.55.33.16 makums01
O1 - Hosts: 130.139.57.143 nym003m
O1 - Hosts: 130.147.121.55 KBMAX11
O1 - Hosts: 130.147.121.156 RTKHHPCNS1
O1 - Hosts: 130.147.122.228 RTKHHPBINS1
O1 - Hosts: 130.147.161.69 KHH001M
O1 - Hosts: 130.147.161.70 KHH002M
O1 - Hosts: 130.147.125.56 KHH002A
O1 - Hosts: 130.147.125.49 KHH001A
O1 - Hosts: 130.143.165.25 hbg004m
O1 - Hosts: 130.143.165.71 hbg007m
O1 - Hosts: 130.147.121.14 dp01
O1 - Hosts: 130.147.121.15 dp02
O1 - Hosts: 130.147.127.142 dp03
O1 - Hosts: 130.147.127.143 dp04
O1 - Hosts: 137.55.48.44 spcsvr
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\1EBL_files\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\1EBL_files\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Datesetting] regedit /s C:\Winnt\Drv\Tools\Datesetting\Datesetting.reg
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.phgclbps01dt230] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [5S Alerter] C:\FiveSAlerter.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\timessquare.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [klop] C:\WINNT\54.tmp
O4 - HKCU\..\Run: [kzwi] C:\PROGRA~1\COMMON~1\kzwi\kzwim.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\PROGRA~1\COMMON~1\kzwi\kzwim.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\1EBL_files\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\1EBL_files\PsnLite.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\Accessories\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED421D1B-B0EB-472B-9AA4-4864F0E7AD2A}: Domain = clb.sc.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCD - C:\WINNT\system32\k644lghq164e.dll (file missing)
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINNT\system32\bjmpqdhi.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINNT\system32\cbiknoge.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\UGhpbGlwcw\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome8iClientCache - Unknown owner - C:\Oracle8i\BIN\ONRSD.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
Ike74

Ike74

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello Sam;

I have made some adjustments since I last posted my problem.
Although I'm sure I haven't totally fixed my problem (unwanted pop-ups, unwanted system failure). Please see below my latest HiJackThis Log for your reference. Thanks in advance for your support..

Logfile of HijackThis v1.99.1
Scan saved at 10:18:06, on 2005-11-21
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\1EBL_files\PsnLite.exe
C:\1EBL_F~1\PSNGive.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Notes\nlnotes.exe
C:\Program Files\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pww.clb.sc.philips.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://wemea02.pixs.philips.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.philips.com; http://137.55.48.82; http://137.55.48.77; ;<local>
F2 - REG:system.ini: Shell=explorer.exe "
O1 - Hosts: 137.55.48.52 mes.clb.sc.philips.com
O1 - Hosts: 137.55.34.47 mak001m
O1 - Hosts: 137.55.34.49 mak002m
O1 - Hosts: 137.55.33.16 makums01
O1 - Hosts: 130.139.57.143 nym003m
O1 - Hosts: 130.147.121.55 KBMAX11
O1 - Hosts: 130.147.121.156 RTKHHPCNS1
O1 - Hosts: 130.147.122.228 RTKHHPBINS1
O1 - Hosts: 130.147.161.69 KHH001M
O1 - Hosts: 130.147.161.70 KHH002M
O1 - Hosts: 130.147.125.56 KHH002A
O1 - Hosts: 130.147.125.49 KHH001A
O1 - Hosts: 130.143.165.25 hbg004m
O1 - Hosts: 130.143.165.71 hbg007m
O1 - Hosts: 130.147.121.14 dp01
O1 - Hosts: 130.147.121.15 dp02
O1 - Hosts: 130.147.127.142 dp03
O1 - Hosts: 130.147.127.143 dp04
O1 - Hosts: 137.55.48.44 spcsvr
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\1EBL_files\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\1EBL_files\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Datesetting] regedit /s C:\Winnt\Drv\Tools\Datesetting\Datesetting.reg
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.phgclbps01dt230] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [klop] C:\WINNT\54.tmp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\1EBL_files\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\1EBL_files\PsnLite.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCD - C:\WINNT\system32\k644lghq164e.dll (file missing)
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINNT\system32\bjmpqdhi.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINNT\system32\cbiknoge.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\UGhpbGlwcw\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome8iClientCache - Unknown owner - C:\Oracle8i\BIN\ONRSD.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [klop] C:\WINNT\54.tmp
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O20 - Winlogon Notify: MCD - C:\WINNT\system32\k644lghq164e.dll (file missing)
    O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINNT\system32\bjmpqdhi.dll (file missing)
    O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINNT\system32\cbiknoge.dll (file missing)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\UGhpbGlwcw\command.exe (file missing)



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\WINNT\54.tmp
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll


    Delete any additional ibm000x.exe, .dll, or .tmp files found in the same folder.


    Delete your temp files
    • Navigate to the C:\WINNT\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.
Reboot your computer to go back to normal mode.


Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • You may need to disable your antivirus program while this scan runs.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
  • Make sure to reenable your antivirus program if you disabled it.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#5
Ike74

Ike74

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello;

Thanks a lot for your technical advise. So far the performance of my PC improved. Here's my latest HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 09:02:07, on 2005-11-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\1EBL_files\PsnLite.exe
C:\1EBL_F~1\PSNGive.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Notes\nlnotes.exe
C:\Program Files\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

http://wemea02.pixs.philips.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.*.philips.com; http://137.55.48.82; http://137.55.48.77; ;<local>
F2 - REG:system.ini: Shell=explorer.exe

"
O1 - Hosts: 137.55.48.52 mes.clb.sc.philips.com
O1 - Hosts: 137.55.34.47 mak001m
O1 - Hosts: 137.55.34.49 mak002m
O1 - Hosts: 137.55.33.16 makums01
O1 - Hosts: 130.139.57.143 nym003m
O1 - Hosts: 130.147.121.55 KBMAX11
O1 - Hosts: 130.147.121.156 RTKHHPCNS1
O1 - Hosts: 130.147.122.228 RTKHHPBINS1
O1 - Hosts: 130.147.161.69 KHH001M
O1 - Hosts: 130.147.161.70 KHH002M
O1 - Hosts: 130.147.125.56 KHH002A
O1 - Hosts: 130.147.125.49 KHH001A
O1 - Hosts: 130.143.165.25 hbg004m
O1 - Hosts: 130.143.165.71 hbg007m
O1 - Hosts: 130.147.121.14 dp01
O1 - Hosts: 130.147.121.15 dp02
O1 - Hosts: 130.147.127.142 dp03
O1 - Hosts: 130.147.127.143 dp04
O1 - Hosts: 137.55.48.44 spcsvr
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program

Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\1EBL_files\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\1EBL_files\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt

7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Datesetting] regedit /s C:\Winnt\Drv\Tools\Datesetting\Datesetting.reg
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.phgclbps01dt230]

"C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program

Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common

Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\1EBL_files\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\1EBL_files\PsnLite.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\UGhpbGlwcw\command.exe (file

missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC -

C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program

Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program

Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program

Files\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program

Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program

Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome8iClientCache - Unknown owner - C:\Oracle8i\BIN\ONRSD.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service

(file missing)



Best regards,
Ike74
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Were you able to run the Panda scan?
If so, do you have a log of what was found?


Click Start -> Run -> (type) services.msc

Scroll down and find the service called Command Service When you find it, double-click on it. In the next window that opens, click the Stop button(if available), then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

cmdService


Reboot and post one last hijackthis log.
Let me know of any problems that you are still having.
  • 0

#7
Ike74

Ike74

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello;

Here's the initial findings of the Panda Scan:


Incident Status Location

Adware:Adware/CommAd Not desinfected C:\1EBL_files\Microsoft Antispyware\Quarantine\86A892FE-F91A-4C62-B801-A899AE\5F5FAA60-0D36-4BF0-8BF6-D9C243
Adware:Adware/IST.ISTBar Not desinfected C:\1EBL_files\TPM_matters\installers\HelpScribble_v6.3.2patchR@dier.zip[crack.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\1EBL_files\TPM_matters\installers\Help_Scribble_v7.0.1.zip[crack.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\1EBL_files\TPM_matters\installers\Help_Scribble_v7[1].0.1.zip[crack.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\1EBL_files\TPM_matters\installers\hlscrib.zip[crack.exe]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\archive.jar-139a36c2-1b9b535c.zip.Vir[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\archive.jar-139a36c2-1b9b535c.zip.Vir[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\archive.jar-139a36c2-1b9b535c.zip.Vir[Dummy.class]
Virus:Trojan Horse Disinfected C:\Application_Data\McAfee\Quarantine\archive.jar-139a36c2-1b9b535c.zip.Vir[Beyond.class]
Adware:Adware/DollarRevenue Not desinfected C:\Application_Data\McAfee\Quarantine\cr-ts320.exe.Vir[run.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\Flash_Capture_v1[1].20_www.crack-locator.com_.zip.Vir[yre.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\Flash_Capture_v1[1].20_www.crack-locator.com_.zip.Vir.0[yre.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\Flash_Capture_v1[1].53_www.crack-locator.com_.zip.Vir[ahp.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\Flash_Capture_v1[1].53_www.crack-locator.com_.zip.Vir.0[ahp.exe]
Adware:Adware/nCase Not desinfected C:\Application_Data\McAfee\Quarantine\ipaxm11a.zip.Vir[start.exe]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\loaderadv698.jar-2b037dd6-3495b5ed.zip.Vir[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\loaderadv698.jar-2b037dd6-3495b5ed.zip.Vir[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\loaderadv698.jar-2b037dd6-3495b5ed.zip.Vir[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Application_Data\McAfee\Quarantine\loaderadv698.jar-2b037dd6-3495b5ed.zip.Vir[Parser.class]
Adware:Adware/Dyfuca Not desinfected C:\Application_Data\McAfee\Quarantine\nem220.dll.Vir
Adware:Adware/Dyfuca Not desinfected C:\Application_Data\McAfee\Quarantine\optimize.exe.Vir
Adware:Adware/PowerScan Not desinfected C:\Application_Data\McAfee\Quarantine\powerscan.exe.Vir
Adware:Adware/SpySheriff Not desinfected C:\Application_Data\McAfee\Quarantine\snd-ultraedit-3211.xx.universalpatch.exe.Vir[run.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\SWiSHmax_build_2004[1].08.12_www.crack-locator.com_.zip.Vir[fhh.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\SWiSHmax_build_2004[1].08.12_www.crack-locator.com_.zip.Vir.0[fhh.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\tbemat20.zip.Vir[start.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\TechSmith_Camtasia_Studio_v2[1].0.0_by_Orion_www.crack-locator.com_.zip.Vir[gpq.exe]
Adware:Adware/IST.ISTBar Not desinfected C:\Application_Data\McAfee\Quarantine\TechSmith_Camtasia_Studio_v2[1].0.0_by_Orion_www.crack-locator.com_.zip.Vir.0[gpq.exe]
Adware:Adware/Ucmore Not desinfected C:\Application_Data\McAfee\Quarantine\ucmoreiex.exe.Vir
Adware:Adware/Ucmore Not desinfected C:\Application_Data\McAfee\Quarantine\ucmoreiex[1].exe.Vir
Virus:Trj/Downloader.CNQ Disinfected C:\Application_Data\McAfee\Quarantine\Ulead GIF Animator 5.05 TBYB English - Bidjan.zip.Vir[start.exe]
Virus:Trj/Downloader.CNQ Disinfected C:\Application_Data\McAfee\Quarantine\Ulead GIF Animator 5.05 Trial English - Bidjan.zip.Vir[start.exe]
Adware:Adware/SpySheriff Not desinfected C:\Application_Data\McAfee\Quarantine\UltraEdit-32 11.00b+ by Knetus.exe.Vir[run.exe]
Virus:Trj/Agent.AWK Disinfected C:\contextplus.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\phg02925.CODE1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-6116a1f1.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\phg02925.CODE1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-6116a1f1.zip[NewURLClassLoader.class]
Possible Virus. Not desinfected C:\Documents and Settings\phg02925.CODE1\My Documents\Myfiles\Personal\Tools_Softwares\Cracks_Serial\ListPro\keygen4ListProPC_PPC40.exe
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\phg02925.CODE1\My Documents\Myfiles\Personal\Tools_Softwares\Flash_tools\FlashCapture\FlashCapture.zip[yre.exe]
Dialer:Dialer.BRE Not desinfected C:\Documents and Settings\phg02925.CODE1\My Documents\Myfiles\Personal\Tools_Softwares\My_tools\hijackthis\backups\backup-20051114-145809-866.inf
Adware:Adware/DollarRevenue Not desinfected C:\drsmartload1.exe
Dialer:Dialer.BRE Not desinfected C:\HTJ\backups\backup-20051114-145809-866.inf
Adware:Adware/ISearch Not desinfected C:\mte3ndi6odoxng.exe
Adware:Adware/Sqwire Not desinfected C:\stub_113_4_0_4_0.exe
Possible Virus. Not desinfected C:\WINNT\54.tmp
Spyware:Spyware/BetterInet Not desinfected C:\WINNT\inf\banner.inf
Spyware:Spyware/BetterInet Not desinfected C:\WINNT\inf\ceres.inf
Adware:Adware/IPInsight Not desinfected C:\WINNT\inf\farmmext.inf
Spyware:spyware/betterinet Not desinfected C:\WINNT\inf\payload2.inf
Adware:adware/cws.searchmeup Not desinfected C:\WINNT\kl.exe
Adware:Adware/CWS.Searchmeup Not desinfected C:\WINNT\ms1.exe
Adware:Adware/Look2Me Not desinfected C:\WINNT\system\UpdInst.exe
Virus:Trj/AVKiller.T Disinfected C:\WINNT\system32\bmgbapka.exe
Virus:Trj/Dropper.NT Disinfected C:\WINNT\system32\clmfleak.exe
Adware:Adware/Sqwire Not desinfected C:\WINNT\system32\tsuninst.exe
Adware:Adware/SpySheriff Not desinfected C:\WINNT\tool3.exe
Adware:Adware/CommAd Not desinfected C:\WINNT\UGhpbGlwcw\asappsrv.dll


I have corrected them all by manually deleting all those that were not disinfected. On the last scan nothing was detected.


Here's the latest HijackThis Scan:

Logfile of HijackThis v1.99.1
Scan saved at 16:12:52, on 2005-11-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Notes\nlnotes.exe
C:\Program Files\Notes\ntaskldr.EXE
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.clb.sc.philips.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://wemea02.pixs.philips.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.philips.com; http://137.55.48.82; http://137.55.48.77; ;<local>
F2 - REG:system.ini: Shell=explorer.exe "
O1 - Hosts: 137.55.48.52 mes.clb.sc.philips.com
O1 - Hosts: 137.55.34.47 mak001m
O1 - Hosts: 137.55.34.49 mak002m
O1 - Hosts: 137.55.33.16 makums01
O1 - Hosts: 130.139.57.143 nym003m
O1 - Hosts: 130.147.121.55 KBMAX11
O1 - Hosts: 130.147.121.156 RTKHHPCNS1
O1 - Hosts: 130.147.122.228 RTKHHPBINS1
O1 - Hosts: 130.147.161.69 KHH001M
O1 - Hosts: 130.147.161.70 KHH002M
O1 - Hosts: 130.147.125.56 KHH002A
O1 - Hosts: 130.147.125.49 KHH001A
O1 - Hosts: 130.143.165.25 hbg004m
O1 - Hosts: 130.143.165.71 hbg007m
O1 - Hosts: 130.147.121.14 dp01
O1 - Hosts: 130.147.121.15 dp02
O1 - Hosts: 130.147.127.142 dp03
O1 - Hosts: 130.147.127.143 dp04
O1 - Hosts: 137.55.48.44 spcsvr
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\1EBL_files\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\1EBL_files\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Datesetting] regedit /s C:\Winnt\Drv\Tools\Datesetting\Datesetting.reg
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.phgclbps01dt230] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\1EBL_files\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\1EBL_files\PsnLite.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = code1.emi.philips.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clb.sc.philips.com,diamond.philips.com,code1.emi.philips.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: OracleOraHome8iClientCache - Unknown owner - C:\Oracle8i\BIN\ONRSD.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)


Thanks for your support. I think my PC is now back on its tip top shape. Just kindly advise if you still see anything that need to be corrected.


Kind regards,
Ike74
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks good to me! :tazz:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :)
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP