Jump to content


Photo

In need of assistance - MERGED 2


  • This topic is locked This topic is locked
24 replies to this topic

#1 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 July 2004 - 12:40 AM

Logfile of HijackThis v1.98.0
Scan saved at 9:57:39 AM, on 7/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\automove.exe
C:\WINNT\bokja.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\server\ExNS\Spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\system32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27AC09EE-C20B-4BA4-8E27-F1C33D263875} - C:\WINNT\system32\thc.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [wcsghbrcsn] C:\WINNT\system32\skpxusv.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [rz9vh.exe] C:\WINNT\system32\rz9vh.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [rz9vh.exe] C:\WINNT\system32\rz9vh.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC6E75EE-68FA-4C25-B552-70BE5ABA8157}: NameServer = 192.168.5.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travislaw.com

#2 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 July 2004 - 08:26 AM

Help

#3 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 July 2004 - 01:21 PM

Bump...Please help

#4 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 July 2004 - 06:24 PM

Please help

#5 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 11 July 2004 - 04:18 PM

I am still in need of assistance. I have been waiting since 7/9. Can someone please help me.

Thank you

#6 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 12 July 2004 - 01:13 AM

Logfile of HijackThis v1.98.0
Scan saved at 9:57:39 AM, on 7/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\automove.exe
C:\WINNT\bokja.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\server\ExNS\Spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\system32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27AC09EE-C20B-4BA4-8E27-F1C33D263875} - C:\WINNT\system32\thc.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [wcsghbrcsn] C:\WINNT\system32\skpxusv.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [rz9vh.exe] C:\WINNT\system32\rz9vh.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [rz9vh.exe] C:\WINNT\system32\rz9vh.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 12 July 2004 - 10:33 PM

Threads merged to here. Please hit ADD REPLY, not NEW TOPIC.

You don't say what sort of problem you are having. But this may help whatever it is:

Update your IE - you need the security patches.
http://www.microsoft.../ie/default.asp

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window
  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.

Fireflyer

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#8 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 July 2004 - 09:22 AM

Main problem is that I am getting an enormous amout of popups. Also, after a reboot, in order to see my icons, I have to go into the task manager and end task on the process rz9vh.exe. I have removed this line using Hijack this.

I am also not aware of what this line is:

O4 - HKLM\..\Run: [wcsghbrcsn] C:\WINNT\system32\skpxusv.exe

Thanks

After deleting rz9vh.exe and rebooting now 2ifqee.exe is the problem process. I now have to end task on this one in order to get my desktop to come up. I checked Hijack this and now these 2 lines are in place of rz9vh.exe

O4 - HKLM\..\RunOnce: [2ifqee.exe] C:\WINNT\system32\2ifqee.exe

O4 - HKCU\..\RunOnce: [2ifqee.exe] C:\WINNT\system32\2ifqee.exe




Logfile of HijackThis v1.98.0
Scan saved at 9:23:10 AM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\Program Files\PestPatrol\CookiePatrol.exe
c:\Program Files\PestPatrol\PPMemCheck.exe
c:\Program Files\PestPatrol\ppcontrol.exe
C:\WINNT\system32\wuauclt.exe
C:\ExNS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27AC09EE-C20B-4BA4-8E27-F1C33D263875} - C:\WINNT\system32\thc.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [wcsghbrcsn] C:\WINNT\system32\skpxusv.exe
O4 - HKLM\..\RunOnce: [2ifqee.exe] C:\WINNT\system32\2ifqee.exe
O4 - HKLM\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [2ifqee.exe] C:\WINNT\system32\2ifqee.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC6E75EE-68FA-4C25-B552-70BE5ABA8157}: NameServer = 192.168.5.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travislaw.com

Edited by TroyE, 13 July 2004 - 09:40 AM.


#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 13 July 2004 - 10:17 AM

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then immediately Reboot.

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

O2 - BHO: (no name) - {27AC09EE-C20B-4BA4-8E27-F1C33D263875} - C:\WINNT\system32\thc.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll

O4 - HKLM\..\Run: [wcsghbrcsn] C:\WINNT\system32\skpxusv.exe
O4 - HKLM\..\RunOnce: [2ifqee.exe] C:\WINNT\system32\2ifqee.exe
O4 - HKCU\..\RunOnce: [2ifqee.exe] C:\WINNT\system32\2ifqee.exe

Optional - resource waster -
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

After fix and reboot, delete this whole folder:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\
(Do Start->Run, enter cmd to open a DOS window. Then enter
deltree /y C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\ at the command prompt.)

Delete thiese files:
C:\WINNT\system32\skpxusv.exe
C:\WINNT\system32\2ifqee.exe

Post another log and let us know status of problem - if that doesn't do it we can bring in more weapons.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#10 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 July 2004 - 11:04 AM

Latest log. Now getting:

O4 - HKLM\..\RunOnce: [zz2yu.exe] C:\WINNT\system32\zz2yu.exe

O4 - HKCU\..\RunOnce: [zz2yu.exe] C:\WINNT\system32\zz2yu.exe

Opened a browser and still getting popups. Not as bad though. Here are a couple that I am being sent to:

1) http://ads1.revenue....O_SITE_ID=6706

2) Yesup.com

Thanks again!!!




Logfile of HijackThis v1.98.0
Scan saved at 11:05:19 AM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\ExNS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINNT\system32\b0y.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [zz2yu.exe] C:\WINNT\system32\zz2yu.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [zz2yu.exe] C:\WINNT\system32\zz2yu.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC6E75EE-68FA-4C25-B552-70BE5ABA8157}: NameServer = 192.168.5.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travislaw.com

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 13 July 2004 - 11:28 AM

Ok - please download, extract, and run the KillBox.

Click Here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry: C:\WINNT\system32\zz2yu.exe
Then Action->Delete on reboot. (See pic below).

In the smaller window that opens, click File->Add file.
Then Action->Process and reboot.

After reboot, see if that worked, post a new log.

Attached Images

  • a_cnm3.jpg

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 July 2004 - 01:58 PM

Now we have this one. It seems that as soon as you delete the file it creates another random one.

O4 - HKLM\..\RunOnce: [u6evm.exe] C:\WINNT\system32\u6evm.exe

O4 - HKCU\..\RunOnce: [u6evm.exe] C:\WINNT\system32\u6evm.exe

I have gone into HKLM\software\microsoft\windows\currentversion\runonce and deleted, on reboot, there is another one there w/ a random name.

Same for HKCU\software\microsoft\windows\currentversion\runonce

If I going into C:\WINNT\system32 and delete the file it creates another one on reboot.

Logfile of HijackThis v1.98.0
Scan saved at 1:52:25 PM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\ExNS\Spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINNT\system32\pa4cue.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [u6evm.exe] C:\WINNT\system32\u6evm.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [u6evm.exe] C:\WINNT\system32\u6evm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC6E75EE-68FA-4C25-B552-70BE5ABA8157}: NameServer = 192.168.5.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travislaw.com

#13 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 July 2004 - 02:02 PM

This is the log after reboot. Now we have:

O4 - HKLM\..\RunOnce: [jg8geni.exe] C:\WINNT\system32\jg8geni.exe
and
O4 - HKCU\..\RunOnce: [jg8geni.exe] C:\WINNT\system32\jg8geni.exe



Logfile of HijackThis v1.98.0
Scan saved at 2:06:39 PM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\ExNS\Spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINNT\system32\e40g7.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [jg8geni.exe] C:\WINNT\system32\jg8geni.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [jg8geni.exe] C:\WINNT\system32\jg8geni.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC6E75EE-68FA-4C25-B552-70BE5ABA8157}: NameServer = 192.168.5.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travislaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travislaw.com

#14 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 13 July 2004 - 06:29 PM

I'll see if I can get an Expert to come and help..

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#15 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 13 July 2004 - 06:33 PM

Will you please find C:\WINNT\system32\jg8geni.exe (or whatever it's calling itself now).
Zip it up and email the zip as an an attachment to Zero's address
Zero says he will figure out a fix once he has the file.

Note: You may find a copy saved by KillBox in c:\!submit\.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#16 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 July 2004 - 09:20 PM

Email is off w/ attachment.

I could not find jg8geni.exe but I did find the one in !Submit. (zz2yu.exe)

Thanks for all your assistance CNM!

#17 Zero

Zero

    Advanced Member

  • Emeritus
  • PipPipPip
  • 224 posts

Posted 13 July 2004 - 11:34 PM

The file that was sent is the new CWS - No removal yet.

#18 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 14 July 2004 - 09:40 AM

Psykel, I have moved your post to a thread of your own.
Psykel analysis of new CWS

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#19 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 14 July 2004 - 07:05 PM

TroyE, Zero received your file - thanks! - and he and Psykel are working on a solution.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#20 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 15 July 2004 - 12:48 AM

I think I got something, but I want to test it out on the virtual Drive I infested at work, so it will need to wait till tomarrow... hang tight ok!

#21 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 15 July 2004 - 03:29 PM

This is something else we found. We ran Housecall from TrendMicro:

Housecall TrendMicro


We found this: http://www.trendmicr...e=TROJ_STILEN.A

So far, it is working.

Thanks to everyone for their assitance!!!

#22 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 15 July 2004 - 10:26 PM

errrmmm... well I jsut figured out a fix... if it comes back tell me, im gonna test this trendmicro thing...

Edited by Psykel, 15 July 2004 - 10:30 PM.


#23 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 16 July 2004 - 12:22 AM

can you please fully confirm that housecall removed the exe problem.... After doing scans at diffrent stages of the infect process I have yet to get it to id or remove the infector or the causes... nor find any referances to the registry keys it claims on the site description... I have been able to stop it several times though in testing.

#24 TroyE

TroyE

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 20 July 2004 - 11:03 AM

I spoke w/ the person that ran Housecall and he said that he did not do anything else. I guess as long as you get a fix for it, that's what counts.

Thanks again!!!

#25 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 July 2004 - 11:08 AM

Glad you found a solution, TroyE. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button