Skip to main content

paperdol

5 Posts

July 1st, 2005 17:00

Hi Bertha,
 
Thank you so much for your speedy reply.  I really appreciate your help.  Here is a new log from normal mode.  I also moved HJT from the desktop. 
 
Thanks again.
 
Best Regards,
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 1:42:59 PM, on 7/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\ACT\SideACT.exe
C:\HJT\HijackThis-1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.29.31.200:3128
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [qL3U] C:\documents and settings\kkonstan\local settings\temp\qL3U.exe
O4 - HKLM\..\Run: [6CU8NinSc] C:\windows\system32\6CU8NinSc.exe
O4 - HKLM\..\Run: [XxNZH.exe] c:\windows\system32\XxNZH.exe
O4 - HKLM\..\Run: [a193b63ba0d0] C:\WINDOWS\System32\clbcatq0.exe
O4 - HKLM\..\Run: [rieyhd] c:\windows\system32\uduwida.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lw77RUinS] tscwt.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\WINDOWS\DOWNLO~1\WebEx\320\atonecli.dll
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\WINDOWS\DOWNLO~1\WebEx\320\atonecli.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} (CHListFactory Object) - http://smihouinet10/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlsni.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlsni.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://reidata.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = regr.sisco.stewart.net
O17 - HKLM\Software\..\Telephony: DomainName = regr.sisco.stewart.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E4A66E-E2F7-446A-8E43-80E9D987513A}: NameServer = 10.29.31.247,10.253.1.47
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = regr.sisco.stewart.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = regr.sisco.stewart.net
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
 

Bertha2

711 Posts

July 1st, 2005 17:00

Hi Paper,
 
Please post back a HJT Log from Normal Mode, and also move HJT off your desktop and into its own folder something like C:\HJT this is important as it allows correct backups to be made.
 
Then run a scan and post the results here
 
Bertha2

Bertha2

711 Posts

July 1st, 2005 18:00

Hi Paper,
 
Print this off so you can follow it,
 
Please delete any current copies of the NailFix you have, and also make sure ewido is up to date (have included link for ewido in case you need it)
 
 
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
 
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.
 
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
 
Then please run Ewido, and run a full scan. Save the logfile from the scan.
 
Next please run HijackThis, click Scan, and check:
 
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
 
Close all open windows except for HijackThis and click Fix Checked.
 
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan :smileyvery-happy:
 
Bertha2

wcma

2 Posts

July 1st, 2005 18:00

Could someone please help me get rid of the aurora pop-ups?? Thank you!!

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 3:12:02 PM, on 07/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\TrayTool.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Master Gray\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldclasskick.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldclasskick.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.ce1.attbb.net;
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9EE993-4A64-48EB-A6C6-F68AECDBBB21} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {56B20ED4-C55C-4C83-AC01-925568D05F5A} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7219862A-5063-4E13-AA05-5410BA4BDFFB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {84B05BE1-7C7C-4D6F-9352-4288225F4C69} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {A3291C8E-35D9-418A-A0F9-5F11976F1C60} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {BAF31DA4-7513-4AD9-BDEE-ED8771273883} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ToolExe] C:\Program Files\Dell\TrayTool.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ixluazd] C:\WINDOWS\system32\chqhm.exe
O4 - HKLM\..\Run: [gygxpjj] C:\WINDOWS\system32\egliv.exe
O4 - HKLM\..\Run: [odaa] C:\WINDOWS\system32\zssalth.exe
O4 - HKLM\..\Run: [zpehob] C:\WINDOWS\system32\bivvb.exe
O4 - HKLM\..\Run: [dxssex] C:\WINDOWS\system32\tnrfsq.exe
O4 - HKLM\..\Run: [vtyz] C:\WINDOWS\system32\ybczvotk.exe
O4 - HKLM\..\Run: [sgrxv] C:\WINDOWS\system32\yelyx.exe
O4 - HKLM\..\Run: [sgrw] C:\WINDOWS\system32\fjcasl.exe
O4 - HKLM\..\Run: [xpuntuc] C:\WINDOWS\system32\fjkdvj.exe
O4 - HKLM\..\Run: [cmln] C:\WINDOWS\system32\bsyaep.exe
O4 - HKLM\..\Run: [wntg] C:\WINDOWS\system32\ybunwo.exe
O4 - HKLM\..\Run: [ujjoj] C:\WINDOWS\system32\rvetjupv.exe
O4 - HKLM\..\Run: [ewihita] C:\WINDOWS\system32\ecvhtohp.exe
O4 - HKLM\..\Run: [ynteb] C:\WINDOWS\system32\ogqr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [stvl] C:\WINDOWS\system32\kdln.exe
O4 - HKLM\..\Run: [bqfez] C:\WINDOWS\system32\phvk.exe
O4 - HKLM\..\Run: [znjot] C:\WINDOWS\system32\jcgsdj.exe
O4 - HKLM\..\Run: [nulirdbd] C:\WINDOWS\system32\ojca.exe
O4 - HKLM\..\Run: [tvzhduth] C:\WINDOWS\system32\npnbrob.exe
O4 - HKLM\..\Run: [mshnmiu] C:\WINDOWS\system32\rbvbzgzx.exe
O4 - HKLM\..\Run: [ogizide] C:\WINDOWS\system32\drdl.exe
O4 - HKLM\..\Run: [npnfm] C:\WINDOWS\system32\kydhwcr.exe
O4 - HKLM\..\Run: [qxkbrzq] C:\WINDOWS\system32\arngaga.exe
O4 - HKLM\..\Run: [vvgfas] C:\WINDOWS\system32\kpnltqv.exe
O4 - HKLM\..\Run: [syloryww] C:\WINDOWS\system32\vkqgb.exe
O4 - HKLM\..\Run: [zevda] C:\WINDOWS\system32\jmzzma.exe
O4 - HKLM\..\Run: [ojnclg] C:\WINDOWS\system32\fcgif.exe
O4 - HKLM\..\Run: [yyog] C:\WINDOWS\system32\lpeuowt.exe
O4 - HKLM\..\Run: [trflxo] C:\WINDOWS\system32\yvzi.exe
O4 - HKLM\..\Run: [mdvhhwa] C:\WINDOWS\system32\wcbv.exe
O4 - HKLM\..\Run: [trngidf] C:\WINDOWS\system32\wqfhbqor.exe
O4 - HKLM\..\Run: [bvftqtv] C:\WINDOWS\system32\rhsssdfl.exe
O4 - HKLM\..\Run: [aizms] C:\WINDOWS\system32\bfyxemzq.exe
O4 - HKLM\..\Run: [abdziq] C:\WINDOWS\system32\hzopxbfr.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fwin] C:\WINDOWS\system32\ffgbw.exe
O4 - HKLM\..\Run: [yvrz] C:\WINDOWS\system32\bgxav.exe
O4 - HKLM\..\Run: [lqyszzxw] C:\WINDOWS\system32\tzqs.exe
O4 - HKLM\..\Run: [orscri] C:\WINDOWS\system32\vcyp.exe
O4 - HKLM\..\Run: [ggzjv] C:\WINDOWS\system32\ololqmcq.exe
O4 - HKLM\..\Run: [fhljm] C:\WINDOWS\system32\egeljhfp.exe
O4 - HKLM\..\Run: [wsbc] C:\WINDOWS\system32\djfiula.exe
O4 - HKLM\..\Run: [ycvxysa] c:\windows\system32\jhrvsax.exe
O4 - HKLM\..\Run: [trqc] C:\WINDOWS\system32\xjjrtdc.exe
O4 - HKLM\..\Run: [zqgiv] C:\WINDOWS\system32\sgmf.exe
O4 - HKLM\..\Run: [iian] C:\WINDOWS\system32\giychncv.exe
O4 - HKLM\..\Run: [kclq] C:\WINDOWS\system32\wcsfe.exe
O4 - HKLM\..\Run: [fmyop] C:\WINDOWS\system32\rwuhrxbp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKCU\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {03A89EFD-E023-4606-A22D-45F77558EB4C} (ILINCInstall73 Class) - http://lm-learnlinc.ilinc.com/download/iLinc73i.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://lm-learnlinc.ilinc.com/download/iLinc7i.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119396027562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Message Edited by wcma on 07-01-2005 02:21 PM

Bertha2

711 Posts

July 1st, 2005 18:00

WCMA please start a new topic!!

Bertha2

paperdol

5 Posts

July 1st, 2005 19:00

Hi Bertha,
 
Here are the logs. 
 
Thanks again.
 
 
 
HJT Log
 
 
Logfile of HijackThis v1.99.1
Scan saved at 3:40:21 PM, on 7/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis-1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.29.31.200:3128
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [qL3U] C:\documents and settings\kkonstan\local settings\temp\qL3U.exe
O4 - HKLM\..\Run: [6CU8NinSc] C:\windows\system32\6CU8NinSc.exe
O4 - HKLM\..\Run: [XxNZH.exe] c:\windows\system32\XxNZH.exe
O4 - HKLM\..\Run: [rieyhd] c:\windows\system32\uduwida.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lw77RUinS] tscwt.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\WINDOWS\DOWNLO~1\WebEx\320\atonecli.dll
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\WINDOWS\DOWNLO~1\WebEx\320\atonecli.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} (CHListFactory Object) - http://smihouinet10/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlsni.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlsni.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://reidata.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = regr.sisco.stewart.net
O17 - HKLM\Software\..\Telephony: DomainName = regr.sisco.stewart.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E4A66E-E2F7-446A-8E43-80E9D987513A}: NameServer = 10.29.31.247,10.253.1.47
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = regr.sisco.stewart.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = regr.sisco.stewart.net
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
 
Ewido Log
 
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------
 + Created on:   3:39:08 PM, 7/1/2005
 + Report-Checksum:  7A1E87EE
 + Date of database:  7/1/2005
 + Version of scan engine: v3.0
 + Duration:    45 min
 + Scanned Files:   82205
 + Speed:    30.38 Files/Second
 + Infected files:   48
 + Removed files:   48
 + Files put in quarantine:  48
 + Files that could not be opened: 0
 + Files that could not be cleaned: 0
 + Binder:  Yes
 + Crypter:  Yes
 + Archives:  Yes
 + Scanned items:
 C:\
 + Scan result:
 C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.r -> Cleaned with backup
 C:\Documents and Settings\Administrator\Local Settings\Temp\GGK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN\Cookies\kkonstan@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@66693905[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@adopt.hotbar[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@c5.zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@indiads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@link[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@mlsni.mlxchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Cookies\kkonstan@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Local Settings\Temp\!update.exe -> Spyware.PurityScan -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Local Settings\Temporary Internet Files\Content.IE5\CBS9W9UN\!update-2074[1].0000 -> Spyware.PurityScan -> Cleaned with backup
 C:\Documents and Settings\KKONSTAN.REGR\Local Settings\Temporary Internet Files\Content.IE5\ML1A3M90\!update-1904[1].0000 -> Spyware.PurityScan -> Cleaned with backup
 C:\Program Files\Aprps\CxtPls.dll -> TrojanDownloader.Apropo.ad -> Cleaned with backup
 C:\Program Files\ohra\mbsi.exe -> Spyware.PurityScan -> Cleaned with backup
 C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> Spyware.Apropos.f -> Cleaned with backup
 C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> TrojanDownloader.Apropo.w -> Cleaned with backup
 C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> TrojanDownloader.Apropo.r -> Cleaned with backup
 C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71.tmp -> Spyware.Apropos -> Cleaned with backup
 C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7F.tmp -> Trojan.VB.kq -> Cleaned with backup
 C:\thin-85-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
 C:\WINDOWS\fsebzyhwk.exe -> Spyware.BetterInternet -> Cleaned with backup
 C:\WINDOWS\system32\Biz1K.exe -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\WINDOWS\system32\Ebkfv.exe -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\WINDOWS\system32\Ezg1p5.exe -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\WINDOWS\system32\Fоnts\tracert.exe -> Spyware.PurityScan -> Cleaned with backup
 C:\WINDOWS\system32\HyperLinker2.exe -> Spyware.iSearch -> Cleaned with backup
 C:\WINDOWS\system32\Ink630wv.exe -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\WINDOWS\system32\IpwoDw.exe -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\WINDOWS\system32\lmf32v.dll -> Spyware.Suggestor.g -> Cleaned with backup
 C:\WINDOWS\system32\PreUninstall.exe -> Spyware.Suggestor.g -> Cleaned with backup
 C:\WINDOWS\system32\Searchx.htm -> Spyware.TwainTech -> Cleaned with backup
 C:\WINDOWS\system32\Ubsw.exe -> TrojanDownloader.VB.em -> Cleaned with backup
 C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
 C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet.f -> Cleaned with backup

::Report End

paperdol

5 Posts

July 1st, 2005 19:00

Hi Bertha

I'm scanning it now with ewido. I Followed the steps you posted very carefully and I will keep you posted also with the logs.

Thanks very much for your help.

Have a great 4th!

Paperdol

Bertha2

711 Posts

July 1st, 2005 20:00

Can you post a HJT Log from Normal Mode please?

Bertha2

Was this post helpful?

View All

No Events found!

Top