Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32/Startpage.66048!DLL!Trojan

Started by fisher-ridger , Dec 04 2005 08:36 AM

  • Please log in to reply

#1
fisher-ridger
Posted 04 December 2005 - 08:36 AM

fisher-ridger

    New Member

  • Member
  • Pip
  • 5 posts
This looks similar to some other posts I've seen. Computer Associates groups these in families and this one sounds somwhat, but not exactly some others. They do not offer any way to get rid of it though. I have CA eTrust 7.1.192 which finds and "cures" it, but its always back and seems to be in a different DLL each time. I also have had Spybot on for some time. Also Zone Labs for firewall, but I'm not sure if this was configured strongly enough. Anyway I ran CleanUp40, Ad-Aware SE, cwshredder, ewido, and TrojanHunter. Then I ran Hijack and here is that log. Thanks for any/all help!Attached File  Scan_report_20051204.txt.txt   2.32KB   158 downloads

Logfile of HijackThis v1.99.1
Scan saved at 9:15:34 AM, on 12/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\Apps\security suite\ewidoctrl.exe
D:\Apps\security suite\ewidoguard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Apps\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winan.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
D:\APPS\OMNIPAGE\ocrawr32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\addej.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Jabber\Messenger\JabberMessenger.exe
C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe
D:\Documents and Settings\qz9d2t.W2QZ9D2T01\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.gm.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internetabh.eds.com:81;gopher=internetabh.eds.com:80;http=internetabh.eds.com:80;https=internetabh.eds.com:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com; ori*.*; 164.*; 120.*; *.gm.com; *.gmeds.com;<local>
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=d:\apps\omnipage\ocraware.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {93145802-1A51-B7C4-038A-9D3B9341A24F} - C:\WINDOWS\msuj.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Apps\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Tivoli_Check] C:\WINDOWS\COE\Tivoli\Tiv_Run.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.W2QZ9D2T01] "C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\em\opt\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [EMFINV] C:\Program Files\Eds\EmfInv\emfinv.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Apps\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [nths32.exe] C:\WINDOWS\system32\nths32.exe
O4 - HKLM\..\Run: [5B.tmp] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [5B.tmp.exe] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp.exe] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [addej.exe] C:\WINDOWS\system32\addej.exe
O4 - HKLM\..\Run: [THGuard] "D:\Apps\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [winan.exe] C:\WINDOWS\winan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jabber Messenger] C:\Program Files\Jabber\Messenger\JabberMessenger.exe -hidden
O4 - Startup: Realmon.lnk = C:\Program Files\CA\eTrust\Antivirus\Realmon.exe
O4 - Startup: VPN Dialer (OnStartup).lnk = ?
O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\zafiles\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace02...net.com/qp2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....ViewerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.corp.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BBCDF7-C7EC-45AB-A886-38C6B472A1EB}: NameServer = 68.87.64.196,68.87.66.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BBCDF7-C7EC-45AB-A886-38C6B472A1EB}: NameServer = 68.87.64.196,68.87.66.196
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nthl32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CIMPLICITY HMI Service (CIMPLICITY) - Unknown owner - C:\WINDOWS\System32\cimplicity.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\System32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dnWhoDisp - Unknown owner - D:\Apps\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: EGD Service - Unknown owner - C:\WINDOWS\egdservice.exe
O23 - Service: ewido security suite control - ewido networks - D:\Apps\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Apps\security suite\ewidoguard.exe
O23 - Service: FirstPAGE Server (FirstPAGEServer) - NETCON Technologies Incorporated - London, Ontario, Canada - d:\Apps\CIMPLICITY\HMI\PAGER\EXE\fpserver.exe
O23 - Service: Harmony - Rockwell Software Inc. - D:\Apps\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - D:\Apps\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: CIMPLICITY WebView Service (WEBVIEW) - GE Fanuc Automation - C:\WINDOWS\System32\prowlerservice.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Apps\UltraVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements

#2
fisher-ridger
Posted 06 December 2005 - 07:24 AM

fisher-ridger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Not sure if anyone can help with this, but I've downloaded the About:Buster and was attempting to follow advice on a seemingly similar problem. My laptop will not boot into safemode. It just hangs on apgCPQ.sys and will go no further. This is of course preventing any of the other disinfections to work. I've tried various orders of the programs listed and it just seems that they are finding more issues. It seems like going into safe mode is a requirement. :tazz:
  • 0

#3
fisher-ridger
Posted 06 December 2005 - 07:56 AM

fisher-ridger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I spoke too soon. I simply changed the resolution of the video, and I was in safe mode. Ran About:Buster, cwshredder (found homesearch), cleanup. Rebooted normal and running eTrust. :tazz:
  • 0

#4
fisher-ridger
Posted 06 December 2005 - 09:49 AM

fisher-ridger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK, I also ran ewido while in safe mode:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:21:14 AM, 12/4/2005
+ Report-Checksum: 8E648392

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{10D837D7-D6EA-8BCE-37FB-E58A2E09397B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
[432] C:\WINDOWS\nthl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\dieuc.dll -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\vjwfi.dll -> Adware.SearchPage : Cleaned with backup
D:\Documents and Settings\qz9d2t.W2QZ9D2T01\Cookies\qz9d2t@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


::Report End


Then I ran a Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 10:18:22 AM, on 12/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Documents and Settings\qz9d2t.W2QZ9D2T01\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.gm.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internetabh.eds.com:81;gopher=internetabh.eds.com:80;http=internetabh.eds.com:80;https=internetabh.eds.com:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com; ori*.*; 164.*; 120.*; *.gm.com; *.gmeds.com;<local>
F3 - REG:win.ini: load=d:\apps\omnipage\ocraware.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {539322FC-A50C-270C-A3BD-3515AA26634A} - C:\WINDOWS\nettk.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Apps\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Tivoli_Check] C:\WINDOWS\COE\Tivoli\Tiv_Run.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.W2QZ9D2T01] C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [EMFINV] C:\Program Files\Eds\EmfInv\emfinv.exe
O4 - HKLM\..\Run: [sdkaa.exe] C:\WINDOWS\system32\sdkaa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jabber Messenger] C:\Program Files\Jabber\Messenger\JabberMessenger.exe -hidden
O4 - Startup: Realmon.lnk = C:\Program Files\CA\eTrust\Antivirus\Realmon.exe
O4 - Startup: Realmon.lnkb
O4 - Startup: VPN Dialer (OnStartup).lnk = ?
O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\zafiles\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.corp.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BBCDF7-C7EC-45AB-A886-38C6B472A1EB}: NameServer = 68.87.64.196,68.87.66.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BBCDF7-C7EC-45AB-A886-38C6B472A1EB}: NameServer = 68.87.64.196,68.87.66.196
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msvb.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CIMPLICITY HMI Service (CIMPLICITY) - Unknown owner - C:\WINDOWS\System32\cimplicity.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\System32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dnWhoDisp - Unknown owner - D:\Apps\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: EGD Service - Unknown owner - C:\WINDOWS\egdservice.exe
O23 - Service: ewido security suite control - ewido networks - D:\Apps\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Apps\security suite\ewidoguard.exe
O23 - Service: FirstPAGE Server (FirstPAGEServer) - NETCON Technologies Incorporated - London, Ontario, Canada - d:\Apps\CIMPLICITY\HMI\PAGER\EXE\fpserver.exe
O23 - Service: Harmony - Rockwell Software Inc. - D:\Apps\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: RSLinx - Rockwell Software, Inc. - D:\Apps\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: CIMPLICITY WebView Service (WEBVIEW) - GE Fanuc Automation - C:\WINDOWS\System32\prowlerservice.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Apps\UltraVNC\WinVNC.exe" -service (file missing)



I think that sdkaa is a problem. I thought, hoped, that maybe I had it. But running Etrust once I rebooted normal eTrust revealed:
c:\windows\iis6.log:SPAADQ:$DATA cured w32/Startpage.66048!DLL!Trojan

I have seen this many times. deleting the file does nothing. It'll come back in a different file. Any suggestions Please? :tazz:
  • 0

#5
fisher-ridger
Posted 06 December 2005 - 02:35 PM

fisher-ridger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I guess this is for my own sanity. I'll either fix it, or hack it to death, or cry in defeat and reformat it.

Round 38:
In safe mode ran ewshredder and it found/fixed homesearch
Rebooted.
In safe mode ran ewshredder and it found nothing.
Ran Cleanup.
In Safe mode ran Ewido - nothing.
Ran Cleanup.
Rebooted.
In safe mode ran AdWare - nothing.
Deleted all 0 byte files (5) in my Windows directory (they looked suspicious)
Ran Cleanup.
Rebooted.
In safe mode ran eTrust AV - nothing!

Ran Hijack and nothing to my untrained (but learning) eyes appeared. Even the sdkaa.exe file that had always been in there and I was super suspicous of was gone. Could it be ?

Rooted to normal , ran Edwido and... 3 infected objects! 2 spyware.CoolWebSearch and good ol' Trojan.Agent.bi

How do you get rid of things!?!?!?!?!?!?!?!?!?!?!?!?!?!?! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP