Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown Malware renaming/removing System32 Files [CLOSED]

Started by bpeacocke , Nov 29 2005 02:57 AM

  • This topic is locked This topic is locked

#1
bpeacocke
Posted 29 November 2005 - 02:57 AM

bpeacocke

    New Member

  • Member
  • Pip
  • 5 posts
Hi there,
I have followed the instructions as per "before posting a Hijack This log" to the best of my ability. It has taken some time because as I am running all the various tools the malware renames key DLL's and other system files by adding a .tmp extension. It also removes files that it can. I am eventually reboot the system and to load a fresh installation of Win XP and to run a VBScript I have created to rename the .tmp extension files back to their original names and then to copy files found in SYSTEM32\DLLCACHE that are NOT now in SYSTEM32 up into system32. I am then able to work again.
When I ran the various Spyware/Antivirus/Trojan utilities a few things were found but rmoving these has not solved the problem.
Any help would be greatly appreciated.
Should I submit a hijackthis log?
Regards,
Bernard Peacocke
  • 0

Advertisements

#2
Crustyoldbloke
Posted 29 November 2005 - 05:12 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Yes please Bernard, submit a HJT log from normal mode and I'll take a look.
  • 0

#3
bpeacocke
Posted 29 November 2005 - 07:30 AM

bpeacocke

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks,
As requested hijackthis log attached in ZIp format

Attached File  hijackthis.zip   3.1KB   148 downloads
  • 0

#4
Crustyoldbloke
Posted 29 November 2005 - 09:12 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
This is the unzipped log.

Logfile of HijackThis v1.99.1
Scan saved at 06:55:59 AM, on 2005/11/29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\CA_APPSW\framework\bin\cam.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\eTrust Audit\bin\acactmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\NILaunch.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Documents and Settings\Bernard\My Documents\AntiVirus\Tools\HijackThis.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sit-firewall:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ca.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d1db95b9c51246b0886b91a8e79802f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d1db95b9c51246b0886b91a8e79802f
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA-AutoDiscovery - Computer Associates International - C:\UCS\BIN\DISCSRV.EXE
O23 - Service: CA-IPXDiscovery - Unknown owner - C:\UCS\BIN\IPXDSCVR.EXE
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Unknown owner - C:\CA_APPSW\framework\bin\cam.exe
O23 - Service: CA-Unicenter - Computer Associates International, Inc. - C:\UCS\bin\caunisrv.exe
O23 - Service: CA-Unicenter WorldView Agent (CA-UnicenterWVAgent) - Unknown owner - C:\UCS\bin\cauwvdmn.exe
O23 - Service: CA-Unicenter NSM Auxiliary Services (CA-WebInterfaceServer) - CA - C:\CA_APPSW\browser\bin\w2fwserv.exe
O23 - Service: CA-Unicenter TNG Severity Propagation (CASevProp) - Computer Associates International, Inc. - C:\CA_APPSW\SEVPROP.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: CA-Unicenter (NR-Server) (CCI_NR_Server) - Computer Associates International, Inc. - C:\CA_APPSW\ccinrsd.exe
O23 - Service: CA-Unicenter (Transport) (CCI_Transport) - Computer Associates International, Inc. - C:\CA_APPSW\quenetd.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: eTrust Common Services Log Daemon (ECSLOGD) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSLOGD.exe
O23 - Service: eTrust Common Services Store-And-Forward Manager (ECSSAFMGR) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSSAFMGR.exe
O23 - Service: eTrust Common Services (Transport) (eCS_Transport) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSQDMN.exe
O23 - Service: eTFWService - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\eTFWService.exe
O23 - Service: eTrust Audit Action Manager - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acactmgr.exe
O23 - Service: eTrust Audit Collector - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\aclogrcd.exe
O23 - Service: eTrust Audit Distribution Agent - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acdistagn.exe
O23 - Service: eTrust Audit Distribution Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acdistsrv.exe
O23 - Service: eTrust Audit Log Router - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\aclogrd.exe
O23 - Service: eTrust Audit Portmap - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\portmap.exe
O23 - Service: eTrust Audit Redirector - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\SeLogRd.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\System32\vmnat.exe
O23 - Service: CA-Unicenter Discovery Scheduler (wvschdsv) - Computer Associates International - C:\UCS\bin\wvschdsv.exe
  • 0

#5
Crustyoldbloke
Posted 29 November 2005 - 10:37 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Bernard and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a little malware visible in your HJT log, but nothing very malicious. Let’s see what we can do with the first sweep.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Ewido Security Suite

Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Please visit Kaspersky for an online scan. Please select extended in the scan settings to access this option, and you will find it to be the second option from the top.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total)

Please paste logs into this thread. You will see that many people read these threads to learn about their own problems.
  • 0

#6
bpeacocke
Posted 02 December 2005 - 07:15 AM

bpeacocke

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Phil,
Thanks for your comprehensive response to my pleas for help!
Awesome!
I have done as you have suggested and I am attaching the logs as requested.
Regards,
Bernard

Attached Files


  • 0

#7
Crustyoldbloke
Posted 02 December 2005 - 09:39 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Logfile of HijackThis v1.99.1
Scan saved at 02:59:08 PM, on 2005/12/02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\NILaunch.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Bernard\My Documents\AntiVirus\Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d1db95b9c51246b0886b91a8e79802f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d1db95b9c51246b0886b91a8e79802f
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4050F9D7-38FF-45CA-A398-BC3B30A0DC26}: NameServer = 152.111.35.5,152.111.35.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = touchline.co.za
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = touchline.co.za
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = touchline.co.za
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA-AutoDiscovery - Computer Associates International - C:\UCS\BIN\DISCSRV.EXE
O23 - Service: CA-IPXDiscovery - Unknown owner - C:\UCS\BIN\IPXDSCVR.EXE
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Unknown owner - C:\CA_APPSW\framework\bin\cam.exe
O23 - Service: CA-Unicenter - Computer Associates International, Inc. - C:\UCS\bin\caunisrv.exe
O23 - Service: CA-Unicenter WorldView Agent (CA-UnicenterWVAgent) - Unknown owner - C:\UCS\bin\cauwvdmn.exe
O23 - Service: CA-Unicenter NSM Auxiliary Services (CA-WebInterfaceServer) - CA - C:\CA_APPSW\browser\bin\w2fwserv.exe
O23 - Service: CA-Unicenter TNG Severity Propagation (CASevProp) - Computer Associates International, Inc. - C:\CA_APPSW\SEVPROP.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: CA-Unicenter (NR-Server) (CCI_NR_Server) - Computer Associates International, Inc. - C:\CA_APPSW\ccinrsd.exe
O23 - Service: CA-Unicenter (Transport) (CCI_Transport) - Computer Associates International, Inc. - C:\CA_APPSW\quenetd.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: eTrust Common Services Log Daemon (ECSLOGD) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSLOGD.exe
O23 - Service: eTrust Common Services Store-And-Forward Manager (ECSSAFMGR) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSSAFMGR.exe
O23 - Service: eTrust Common Services (Transport) (eCS_Transport) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSQDMN.exe
O23 - Service: eTFWService - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\eTFWService.exe
O23 - Service: eTrust Audit Action Manager - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acactmgr.exe
O23 - Service: eTrust Audit Collector - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\aclogrcd.exe
O23 - Service: eTrust Audit Distribution Agent - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acdistagn.exe
O23 - Service: eTrust Audit Distribution Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acdistsrv.exe
O23 - Service: eTrust Audit Log Router - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\aclogrd.exe
O23 - Service: eTrust Audit Portmap - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\portmap.exe
O23 - Service: eTrust Audit Redirector - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\SeLogRd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\System32\vmnat.exe
O23 - Service: CA-Unicenter Discovery Scheduler (wvschdsv) - Computer Associates International - C:\UCS\bin\wvschdsv.exe


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, December 02, 2005 11:25:59
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/12/2005
Kaspersky Anti-Virus database records: 162754
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 124615
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 8349 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Bernard\My Documents\AntiVirus\Utilities\trojan\tfak.exe Infected: not-a-virus:RemoteAdmin.Win32.TFAK
C:\Documents and Settings\Bernard\My Documents\AntiVirus\Utilities\trojan\TFAK5.zip/tfak.exe Infected: not-a-virus:RemoteAdmin.Win32.TFAK
C:\Documents and Settings\Bernard\My Documents\AntiVirus\Utilities\trojan\TFAK5.zip Infected: not-a-virus:RemoteAdmin.Win32.TFAK

Scan process completed.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:18:05 PM, 2005/12/01
+ Report-Checksum: C8265BC4

+ Scan result:

HKU\S-1-5-21-3151635226-1636897050-3862868342-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07531599-F255-4050-B96E-ECE5AA2E63A5} -> Spyware.AdvancedSearchbar : Cleaned with backup
HKU\S-1-5-21-3151635226-1636897050-3862868342-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0B682CC1-FB40-4006-A5DD-99EDD3C9095D} -> Spyware.EliteBar : Cleaned with backup
HKU\S-1-5-21-3151635226-1636897050-3862868342-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
C:\Documents and Settings\Bernard\Local Settings\Temporary Internet Files\Content.IE5\4DMZ0TQJ\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Bernard\My Documents\CA Services Projects\Touchline\Utilities\sp4rk_i386.Exe/sp4rkx86.cab/COMPMGMT_COMPADMN_kill.exe -> Trojan.KillApp.d : Cleaned with backup
C:\Documents and Settings\Bernard\My Documents\CA Services Projects\Touchline\Utilities\sp4rk_i386.Exe/sp4rkx86.cab/COMPMGMT_COMPADMN_kill.exe -> Trojan.KillApp.d : Cleaned with backup
C:\Documents and Settings\temp\Cookies\temp@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\temp\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\temp\My Documents\Utilities\Windows\sp4rk_i386.Exe/sp4rkx86.cab/COMPMGMT_COMPADMN_kill.exe -> Trojan.KillApp.d : Cleaned with backup
C:\Documents and Settings\temp\My Documents\Utilities\Windows\sp4rk_i386.Exe/sp4rkx86.cab/COMPMGMT_COMPADMN_kill.exe -> Trojan.KillApp.d : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050111110028328.zip/Documents and Settings/Bernard/Cookies/bernard@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050111110028328.zip/Documents and Settings/Bernard/Cookies/bernard@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050111110028328.zip/Documents and Settings/Bernard/Cookies/bernard@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050202100242.zip/Documents and Settings/Bernard/Cookies/bernard@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050202100242.zip/Documents and Settings/Bernard/Cookies/bernard@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050202100242.zip/Documents and Settings/Bernard/Cookies/bernard@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup


::Report End
  • 0

#8
Crustyoldbloke
Posted 02 December 2005 - 09:40 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Bernard

The logs look good and there is just some tidying up to do.

Is this your ISP: AFRINIC P.O. Box 2271 Cape Town 8000 ZA?

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)

Click on Fix Checked when finished and exit HijackThis.

Post back a fresh HijackThis log, from normal mode, and I will take another look.

Please just paste it into the thread; don't zip it since lots of people read these threads to learn about their own systems.
  • 0

#9
bpeacocke
Posted 05 December 2005 - 05:51 AM

bpeacocke

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Phil,

Firstly AFRINIC P.O. Box 2271 Cape Town 8000 ZA is NOT my ISP! Any reason why you asked?

As requested:
Fresh HiJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:03:13 PM, on 2005/12/05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CA_APPSW\framework\bin\cam.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\NILaunch.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Bernard\My Documents\AntiVirus\Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sit-firewall:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ca.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d1db95b9c51246b0886b91a8e79802f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d1db95b9c51246b0886b91a8e79802f
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = touchline.co.za
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = touchline.co.za
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = touchline.co.za
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA-AutoDiscovery - Computer Associates International - C:\UCS\BIN\DISCSRV.EXE
O23 - Service: CA-IPXDiscovery - Unknown owner - C:\UCS\BIN\IPXDSCVR.EXE
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Unknown owner - C:\CA_APPSW\framework\bin\cam.exe
O23 - Service: CA-Unicenter - Computer Associates International, Inc. - C:\UCS\bin\caunisrv.exe
O23 - Service: CA-Unicenter WorldView Agent (CA-UnicenterWVAgent) - Unknown owner - C:\UCS\bin\cauwvdmn.exe
O23 - Service: CA-Unicenter NSM Auxiliary Services (CA-WebInterfaceServer) - CA - C:\CA_APPSW\browser\bin\w2fwserv.exe
O23 - Service: CA-Unicenter TNG Severity Propagation (CASevProp) - Computer Associates International, Inc. - C:\CA_APPSW\SEVPROP.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: CA-Unicenter (NR-Server) (CCI_NR_Server) - Computer Associates International, Inc. - C:\CA_APPSW\ccinrsd.exe
O23 - Service: CA-Unicenter (Transport) (CCI_Transport) - Computer Associates International, Inc. - C:\CA_APPSW\quenetd.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: eTrust Common Services Log Daemon (ECSLOGD) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSLOGD.exe
O23 - Service: eTrust Common Services Store-And-Forward Manager (ECSSAFMGR) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSSAFMGR.exe
O23 - Service: eTrust Common Services (Transport) (eCS_Transport) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\ECSQDMN.exe
O23 - Service: eTFWService - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\eTrust Common Services\Bin\eTFWService.exe
O23 - Service: eTrust Audit Action Manager - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acactmgr.exe
O23 - Service: eTrust Audit Collector - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\aclogrcd.exe
O23 - Service: eTrust Audit Distribution Agent - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acdistagn.exe
O23 - Service: eTrust Audit Distribution Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\acdistsrv.exe
O23 - Service: eTrust Audit Log Router - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\aclogrd.exe
O23 - Service: eTrust Audit Portmap - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\portmap.exe
O23 - Service: eTrust Audit Redirector - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Audit\bin\SeLogRd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\System32\vmnat.exe
O23 - Service: CA-Unicenter Discovery Scheduler (wvschdsv) - Computer Associates International - C:\UCS\bin\wvschdsv.exe

Regards,
Bernard
  • 0

#10
Crustyoldbloke
Posted 05 December 2005 - 07:02 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Bernard

Firstly let me explain about the clarification on your ISP. The 017 entries normally show me who is your ISP or Proxy server. Your browser start page is set to http://www.google.co.za/. From that I assume that you are in South Africa and the IP address I was getting was also in South Africa, hence the question.

The 017 entry is touchline.co.za and the old 017 entry of 152.111.35.5 (AFRINIC P.O. Box 2271 Cape Town 8000 ZA) has now disappeared, so I can probably assume it was the hijacker.

Now you have this entry :R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ca.com;<local>

Which I believe is the result of W32/Mytob-CA and not eTrust Antivirus from CA

On that basis, I am going to recommend deleting that entry and the one for a proxy server. But before I do that, I want you to explore HijackThis and the way in which we restore a setting just in case I am wrong.

On the opening page of HJT, the third box from the top is the one marked "View the list of backups". If this is wrong, go there, click the box and highlight these entries and click restore.

Here's the fix:

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sit-firewall:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ca.com;<local>

Click on Fix Checked when finished and exit HijackThis.

If you can correct me on my assumptions and tell me how the PC is behaving now, I'd appreciate it.

May I see a fresh HJT log following a reboot please.

Thanks.
  • 0

#11
bpeacocke
Posted 09 December 2005 - 06:01 AM

bpeacocke

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Phil,
Sadly, it now appears that my Hard Drive is stuffed. It wont boot on either of the XP installations I have. Whether this has been caused by the Virus or not - I'm not sure. Currently I am running a Hard Disk Fitness Test and it complains of bad sectors so I shall have to somehow fix those if possible before I continue with this exercise ..... I shall let you know progress.
Thanks for your help thus far!
Regards,
Bernard
  • 0

#12
Crustyoldbloke
Posted 09 December 2005 - 06:22 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Bernard

That's a tough break. It could be the result of viral activity or just the HDD failing; they are normally good for about 10,000 hours give or take.

In case you are wondering, nothing that I know we have done would cause such a disaster. HDD failures provide a variety of symptoms normally from random reboots to occasional non booting and eventual permanent nonboot.
  • 0

#13
Crustyoldbloke
Posted 19 December 2005 - 03:16 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP