What the Tech logo
Welcome! Register for a free account (or login) > How does it work?
  1. Quickly register. It will only take 60 seconds.
  2. Start a new topic. Ask your question. Wait for an email reply.
  3. Is your system infected? Begin reading the malware removal guide.
 register button
2 Pages V   1 2 >  
 Closed TopicStart new topic
> [Closed] Unable to run HijackThis, Encounters problem while running HijackThis
PrachiP
post Jan 31 2008, 04:10 AM
Post #1


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Hello there,
I have just downloaded HijackThis and trying to run it by clicking on the "Do a system scan and save a log file". It finishes the scan and then a popup window comes up saying that "HijackThis.exe has generated errors and will be closed by windows. You will need to restart the program". I have tried it a few times but everytime it does the same thing.

Please help.
My computer is not able to open windows explorer or My computer. If I click on it, the screen refreshes and then nothing happens. This is the reason why I wanted to download HijackThis and get the log file.

Any help will be greatly appreciated.
Many thanks.
Go to the top of the page
 
+Quote Post
LDTate
post Jan 31 2008, 04:45 PM
Post #2


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP




I suggest you do this:

Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 1 2008, 04:14 AM
Post #3


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Thanks for your help!!
Please find below the log from the anti-malware.

Malwarebytes' Anti-Malware 1.01
Database version: 309

Scan type: Quick Scan
Objects scanned: 33974
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 18
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\SYSTEM32\jkklm.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{357554e5-88b8-4a84-a754-641b0df0b227} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{357554e5-88b8-4a84-a754-641b0df0b227} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{820a2c8d-dfc0-4a9f-b3ca-4410ca4f7c04} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{820a2c8d-dfc0-4a9f-b3ca-4410ca4f7c04} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Think-Adz Search Assistant (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Think-Adz (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{820a2c8d-dfc0-4a9f-b3ca-4410ca4f7c04} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\jkklm.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\SYSTEM32\jkklm.dll (Trojan.Vundo) -> Failed to delete. (Delete on reboot).
C:\WINNT\SYSTEM32\mlkkj.bak1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\SYSTEM32\mlkkj.bak2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\SYSTEM32\mlkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\SYSTEM32\mlkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\psharma\Start Menu\Programs\Startup\Think-Adz.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.EC3SOLUTIONS\Start Menu\Programs\Startup\Think-Adz.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\psharma\Start Menu\Programs\Startup\TA_Start.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.EC3SOLUTIONS\Start Menu\Programs\Startup\TA_Start.lnk (Malware.Trace) -> Quarantined and deleted successfully.


Please advise the next steps. I still cannot access the windows explorer or My Computer or control panel.
Thanks in advance.
Go to the top of the page
 
+Quote Post
LDTate
post Feb 1 2008, 05:49 AM
Post #4


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP


Lets try this:

Please delete any HijackThis Folders and Files you have now.

There's a new version of HijackThis.


Click the "Save" button.

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here [Add Reply].
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 1 2008, 07:05 AM
Post #5


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Thanks again.
Below is the log from HijackThis. Hope this helps to detect the problem.

Logfile of HijackThis v1.99.1
Scan saved at 13:02:50, on 01/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NetSupport Manager\client32.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\NetSupport Manager\gateway32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Sybase\shared-1_0\bin\sybjsvc.exe
C:\Sybase\SYSAM-1_0\bin\lmgrd.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\Sybase\SYSAM-1_0\bin\SYBASE.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Sybase\EPASA-7_0_3\win32\dbsrv7.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\Explorer.Exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\PROGRA~1\TEXTPA~1\TextPad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\IntelliJ-IDEA-3.0.1\bin\idea.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\java\j2sdk1.4.2\bin\javaw.exe
C:\Program Files\Embarcadero\RSQL603\RSQL603.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ec3 solutions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41C5EECC-F2B6-478C-8004-4EB4C95FE76D} - C:\WINNT\system32\jkklm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A461CF0D-A7E5-49E7-994C-BEC206090037} - C:\WINNT\system32\hxdhwgjv.dll
O2 - BHO: {f2ad7e40-5ce2-14eb-64e4-97b22040fccd} - {dccf0402-2b79-4e46-be41-2ec504e7da2f} - C:\WINNT\system32\njdmxaho.dll
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINNT\system32\xxyvusr.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [07d10abd] rundll32.exe "C:\WINNT\system32\dwweausn.dll",b
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\SYSTEM32\TBCTRAY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195031678248
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O20 - Winlogon Notify: byxuurr - byxuurr.dll (file missing)
O20 - Winlogon Notify: vpesmpuf - vpesmpuf.dll (file missing)
O20 - Winlogon Notify: xxyvusr - xxyvusr.dll (file missing)
O20 - Winlogon Notify: yayyyaw - yayyyaw.dll (file missing)
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: CLIENT32 - NetSupport Ltd - C:\Program Files\NetSupport Manager\client32.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: icoya OpenContent (icoyaSite) (icoyaSite) - Unknown owner - C:\PROGRA~1\struktur\ICOYAS~1\bin\lib\win32\PythonService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetSupport DNA Client - NetSupport Ltd - C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Gateway32 (PCIGateway) - Unknown owner - C:\Program Files\NetSupport Manager\gateway32.exe" /* * (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sybase EP Management Agent - Unknown owner - C:\Sybase\shared-1_0\bin\sybjsvc.exe
O23 - Service: Sybase BCKServer _ DS_001_BS (SYBBCK_DS_001_BS) - Unknown owner - c:\sybase\ASE-12_5\bin\bcksrvr.exe (file missing)
O23 - Service: Sybase MONServer _ DS_001_MS (SYBMON_DS_001_MS) - Unknown owner - c:\sybase\ASE-12_5\bin\monsrvr.exe (file missing)
O23 - Service: Sybase SQLServer _ DS_001 (SYBSQL_DS_001) - Unknown owner - c:\sybase\ASE-12_5\bin\sqlsrvr.exe (file missing)
O23 - Service: sysam - Unknown owner - C:\Sybase\SYSAM-1_0\bin\lmgrd (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Could you please let me know what to do next.
Many thanks.
Go to the top of the page
 
+Quote Post
LDTate
post Feb 1 2008, 07:22 AM
Post #6


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP


Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 1 2008, 07:52 AM
Post #7


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Thanks. Please find below the log from Combofix:

ComboFix 08-01-30.1 - 01/02/2008 13:33:14.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.442 [GMT 0:00]
Running from: C:\Documents and Settings\psharma\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\psharma\Favorites\Online Security Guide.lnk
C:\Temp\abW9
C:\Temp\tpBe12
C:\WINNT\cookies.ini
C:\WINNT\SYSTEM32\adbkhsem.ini
C:\WINNT\system32\ajpujeuh.dll
C:\WINNT\system32\atponfng.dll
C:\WINNT\system32\aucewrxv.dll
C:\WINNT\SYSTEM32\brokrjxg.ini
C:\WINNT\SYSTEM32\btysbvvd.ini
C:\WINNT\system32\bwcdqlck.dll
C:\WINNT\system32\Cache
C:\WINNT\SYSTEM32\caimkcec.ini
C:\WINNT\SYSTEM32\chwjusay.ini
C:\WINNT\SYSTEM32\cmbydwrh.ini
C:\WINNT\system32\dbawecea.dll
C:\WINNT\system32\dbdupcdd.dll
C:\WINNT\SYSTEM32\ddcpudbd.ini
C:\WINNT\SYSTEM32\dhbbecby.ini
C:\WINNT\SYSTEM32\dhwctgtc.ini
C:\WINNT\system32\djvoelpn.dll
C:\WINNT\system32\dkpatgkm.dll
C:\WINNT\system32\dokqypqf.dll
C:\WINNT\system32\dpixaohw.dll
C:\WINNT\SYSTEM32\dqtoqdfh.ini
C:\WINNT\SYSTEM32\dqxpfumc.ini
C:\WINNT\SYSTEM32\dtdyxnbe.ini
C:\WINNT\system32\dwweausn.dll
C:\WINNT\SYSTEM32\eahbthpo.ini
C:\WINNT\system32\efickdvn.dll
C:\WINNT\SYSTEM32\ehhapfrm.ini
C:\WINNT\system32\ehwqewqr.dll
C:\WINNT\system32\eidklfnq.dll
C:\WINNT\SYSTEM32\eikhmgws.ini
C:\WINNT\SYSTEM32\ekbenwim.ini
C:\WINNT\system32\esoecqci.dll
C:\WINNT\SYSTEM32\etmjjlvc.ini
C:\WINNT\SYSTEM32\ewlcnuwm.ini
C:\WINNT\system32\eyrtwbrg.dll
C:\WINNT\SYSTEM32\favvewsv.ini
C:\WINNT\SYSTEM32\fbspbjat.ini
C:\WINNT\SYSTEM32\feynufsm.ini
C:\WINNT\SYSTEM32\folrreck.ini
C:\WINNT\system32\ftbnhjlo.dll
C:\WINNT\system32\ftsjefxy.dll
C:\WINNT\SYSTEM32\fwtbmwsv.ini
C:\WINNT\system32\ghmmdehj.dll
C:\WINNT\SYSTEM32\gnfnopta.ini
C:\WINNT\system32\gojkgyvi.dll
C:\WINNT\system32\gpgeudgm.dll
C:\WINNT\system32\gqveivpd.dll
C:\WINNT\system32\hfdqotqd.dll
C:\WINNT\system32\hnhjxdqb.dll
C:\WINNT\system32\hxdhwgjv.dll
C:\WINNT\SYSTEM32\iexfntqm.ini
C:\WINNT\system32\igasufam.dll
C:\WINNT\system32\ineWc01
C:\WINNT\SYSTEM32\invpojty.ini
C:\WINNT\system32\ipppvmwp.dll
C:\WINNT\SYSTEM32\iwobkenv.ini
C:\WINNT\SYSTEM32\jhedmmhg.ini
C:\WINNT\system32\jkklm.dll
C:\WINNT\SYSTEM32\jnjllvip.ini
C:\WINNT\system32\kawmjyko.dll
C:\WINNT\SYSTEM32\kbetxhyh.ini
C:\WINNT\SYSTEM32\kdvgderm.ini
C:\WINNT\system32\kjwjsfnk.dll
C:\WINNT\system32\ktuwiimt.dll
C:\WINNT\SYSTEM32\kwafoeyg.ini
C:\WINNT\SYSTEM32\leuyurhv.ini
C:\WINNT\SYSTEM32\lfkorcni.ini
C:\WINNT\system32\lfvewjmi.dll
C:\WINNT\SYSTEM32\lqxppuyj.ini
C:\WINNT\SYSTEM32\lrkcecok.ini
C:\WINNT\SYSTEM32\lxxqlohc.ini
C:\WINNT\SYSTEM32\mafusagi.ini
C:\WINNT\SYSTEM32\mceoqijg.ini
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\meabgitv.dll
C:\WINNT\SYSTEM32\mevegori.ini
C:\WINNT\system32\miwnebke.dll
C:\WINNT\SYSTEM32\mlkkj.tmp
C:\WINNT\SYSTEM32\mmlvpthe.ini
C:\WINNT\system32\mredgvdk.dll
C:\WINNT\system32\mrfpahhe.dll
C:\WINNT\system32\msnav32.ax
C:\WINNT\system32\mtjqtvay.dll
C:\WINNT\system32\mwunclwe.dll
C:\WINNT\system32\netlccfq.dll
C:\WINNT\system32\njdmxaho.dll
C:\WINNT\system32\nolhjent.dll
C:\WINNT\SYSTEM32\nsuaewwd.ini
C:\WINNT\SYSTEM32\nvdkcife.ini
C:\WINNT\system32\nwdsihgd.dll
C:\WINNT\system32\offvhasi.dll
C:\WINNT\system32\ojsjjlly.dll
C:\WINNT\SYSTEM32\okyjmwak.ini
C:\WINNT\SYSTEM32\oljhnbtf.ini
C:\WINNT\system32\omdirafx.dll
C:\WINNT\SYSTEM32\onwetrpk.ini
C:\WINNT\SYSTEM32\ophnekly.ini
C:\WINNT\system32\oqnccujb.dll
C:\WINNT\system32\ovbyplbr.dll
C:\WINNT\system32\pac.txt
C:\WINNT\SYSTEM32\paxwacno.ini
C:\WINNT\SYSTEM32\pefrnopg.ini
C:\WINNT\system32\phatlwiv.dll
C:\WINNT\SYSTEM32\pnedexos.ini
C:\WINNT\SYSTEM32\pqugutbw.ini
C:\WINNT\SYSTEM32\pwmvpppi.ini
C:\WINNT\SYSTEM32\qdpiowuk.ini
C:\WINNT\system32\qekumfvb.dll
C:\WINNT\system32\qfowedot.dll
C:\WINNT\SYSTEM32\qllhnoji.ini
C:\WINNT\SYSTEM32\qrbkpbru.ini
C:\WINNT\SYSTEM32\qvmncpbw.ini
C:\WINNT\SYSTEM32\rblkoylt.ini
C:\WINNT\system32\rMa02yy
C:\WINNT\system32\rrfkpott.dll
C:\WINNT\SYSTEM32\rtjulfmo.ini
C:\WINNT\system32\rxxdemxv.dll
C:\WINNT\SYSTEM32\saotnnep.ini
C:\WINNT\SYSTEM32\sbrkhlfr.ini
C:\WINNT\system32\sdsujpou.dll
C:\WINNT\SYSTEM32\seuskpwu.ini
C:\WINNT\SYSTEM32\slacokjw.ini
C:\WINNT\SYSTEM32\sndhhybp.ini
C:\WINNT\system32\soxedenp.dll
C:\WINNT\system32\srcgllnn.dll
C:\WINNT\SYSTEM32\srqcxtgt.ini
C:\WINNT\system32\svrrjtpu.dll
C:\WINNT\system32\swgmhkie.dll
C:\WINNT\system32\tajbpsbf.dll
C:\WINNT\system32\tbpnqauo.dll
C:\WINNT\system32\tgwttxml.dll
C:\WINNT\system32\uhvlelys.dll
C:\WINNT\system32\ulxmhbsb.dll
C:\WINNT\SYSTEM32\uopjusds.ini
C:\WINNT\system32\urbpkbrq.dll
C:\WINNT\system32\uwbygbmm.dll
C:\WINNT\system32\uxelvmmi.dll
C:\WINNT\system32\uxxoqvuo.dll
C:\WINNT\system32\vhruyuel.dll
C:\WINNT\system32\vmgkrodv.dll
C:\WINNT\system32\vnekbowi.dll
C:\WINNT\system32\vpesmpuf.dllbox
C:\WINNT\SYSTEM32\vtigbaem.ini
C:\WINNT\SYSTEM32\vxmedxxr.ini
C:\WINNT\SYSTEM32\waiuwnfk.ini
C:\WINNT\system32\waxmxarr.dll
C:\WINNT\system32\wbtuguqp.dll
C:\WINNT\system32\winpfz32.sys
C:\WINNT\system32\wuihjsxn.dll
C:\WINNT\SYSTEM32\wyhciwnm.ini
C:\WINNT\SYSTEM32\xkldsyjj.ini
C:\WINNT\SYSTEM32\xlpfbeel.ini
C:\WINNT\SYSTEM32\xtpqqgsq.ini
C:\WINNT\system32\xunoxxrr.dll
C:\WINNT\SYSTEM32\xwabpdou.ini
C:\WINNT\system32\xyemcwoc.dll
C:\WINNT\system32\yasujwhc.dll
C:\WINNT\system32\ybcebbhd.dll
C:\WINNT\system32\ylkenhpo.dll
C:\WINNT\SYSTEM32\ylljjsjo.ini
C:\WINNT\SYSTEM32\yxfejstf.ini
C:\WINNT\system32\zxdnt3d.cfg
C:\WINNT\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://ec3-sv09

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 13:02 . 08-02-01 13:02 <DIR> d-------- C:\Hijackthis
2008-02-01 09:50 . 08-02-01 09:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-01 09:50 . 08-02-01 09:50 <DIR> d-------- C:\Documents and Settings\psharma\Application Data\Malwarebytes
2008-01-25 15:22 . 08-01-25 15:23 <DIR> d-------- C:\Program Files\NetSupport DNA
2008-01-25 15:22 . 08-01-25 15:24 8 --a------ C:\WINNT\PCIRISVR.ST
2008-01-24 13:32 . 08-01-24 13:32 294 ---hs---- C:\WINNT\SYSTEM32\fupxqtpo.ini
2008-01-09 19:31 . 08-01-09 19:31 <DIR> d-------- C:\Program Files\Radmin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:54 20,480 ----a-w C:\WINNT\quit.exe
2007-12-17 16:08 --------- d-----w C:\Documents and Settings\psharma\Application Data\NetSupport
2007-12-17 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\NetSupport
2007-12-05 14:08 786,074 --sh--w C:\WINNT\SYSTEM32\apsurlvu.tmp
2007-11-21 09:17 137,020 ----a-w C:\WINNT\SYSTEM32\lividncq.dll
2007-08-20 20:37 19,512 ----a-w C:\Documents and Settings\psharma\Application Data\GDIPFONTCACHEV1.DAT
2007-04-02 13:32 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2007-03-08 12:02 28,672 ----a-w C:\Documents and Settings\psharma\atwbxdet.dll
2007-03-07 11:51 0 ----a-w C:\Documents and Settings\psharma\hsqlprefs.dat
2006-09-11 15:50 19,512 ----a-w C:\Documents and Settings\wichmanne\Application Data\GDIPFONTCACHEV1.DAT
2006-07-10 17:05 31,192 ----a-w C:\Documents and Settings\shawj\Application Data\GDIPFONTCACHEV1.DAT
2006-03-06 14:57 19,512 ----a-w C:\Documents and Settings\amarteifios\Application Data\GDIPFONTCACHEV1.DAT
2006-01-20 18:16 19,512 ----a-w C:\Documents and Settings\wichmannd\Application Data\GDIPFONTCACHEV1.DAT
2005-11-30 15:23 19,512 ----a-w C:\Documents and Settings\vmehandru\Application Data\GDIPFONTCACHEV1.DAT
2005-08-04 15:12 19,512 ----a-w C:\Documents and Settings\newtonm.EC3SOLUTIONS\Application Data\GDIPFONTCACHEV1.DAT
2002-10-14 13:42 17,960 ----a-w C:\Documents and Settings\newtonm\Application Data\GDIPFONTCACHEV1.DAT
2002-10-07 15:33 65,960 ----a-w C:\Documents and Settings\devonaldi\Application Data\GDIPFONTCACHEV1.DAT
2002-04-19 13:40 20,664 ----a-w C:\Documents and Settings\alex\Application Data\GDIPFONTCACHEV1.DAT
2002-04-17 14:57 1,660,960 ----a-w C:\Program Files\mmssetup.exe
2002-03-01 17:14 17,576 ----a-w C:\Documents and Settings\shiela\Application Data\GDIPFONTCACHEV1.DAT
2002-02-12 16:51 17,576 ----a-w C:\Documents and Settings\weaverj\Application Data\GDIPFONTCACHEV1.DAT
2002-02-07 15:25 216,265 ----a-w C:\Program Files\14225.zip
2002-02-07 15:20 414,011 ----a-w C:\Program Files\18574.zip
2002-02-07 15:17 330,599 ----a-w C:\Program Files\14575.zip
2002-02-01 12:19 463,784 ----a-w C:\Program Files\rfv_7_20g.exe
2002-01-21 10:20 1,041,807 ----a-w C:\Program Files\dap5.exe
2002-01-21 09:25 5,177,300 ----a-w C:\Program Files\esdownloadresumer11.zip
2002-01-17 18:23 17,576 ----a-w C:\Documents and Settings\akandeo\Application Data\GDIPFONTCACHEV1.DAT
2001-09-29 23:14 35 ----a-w C:\Program Files\setup.ini
2001-04-10 07:58 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-04-10 07:58 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2000-07-26 07:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
2000-05-18 01:00 1,511,680 ----a-w C:\Program Files\InstMsiA.exe
2000-05-18 01:00 1,509,632 ----a-w C:\Program Files\InstMsiW.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="ctfmon.exe" [01-02-20 11:09 8192 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NuTCSetupEnviron"="C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe" [01-01-02 17:25 16384]
"SoDA Startup"="C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe" [01-10-15 18:13 114688]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\SYSTEM32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 12:03 36975]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [04-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [04-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [03-10-07 09:48 147514]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 39792]
"TraySantaCruz"="C:\WINNT\SYSTEM32\TBCTRAY.EXE" [00-07-26 17:46 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
discfix.lnk - C:\DELL\discfix.cmd [1980-01-01 75]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2001-11-30 09:31:36 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuurr]
byxuurr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vpesmpuf]
vpesmpuf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvusr]
xxyvusr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyyaw]
yayyyaw.dll

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys [00-11-21 16:19 ]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 11:11 ]
R0 IntelATA;Intel Ultra ATA Controller;C:\WINNT\system32\DRIVERS\IntelAta.sys [01-03-23 00:00 ]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys [00-06-06 13:51 ]
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE [00-05-23 17:48 ]
R2 ActionAgent;ActionAgent;C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe [01-05-14 16:23 ]
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys [00-05-03 18:22 ]
R2 DLT;DLT;C:\Program Files\Dell\OpenManage\Client\DLT.exe [01-05-14 17:24 ]
R2 NetProbe;NetProbe Packet Driver;C:\WINNT\system32\DRIVERS\netprobe.sys [03-02-19 14:22 ]
R2 NetSupport DNA Client;NetSupport DNA Client;C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe [07-02-20 17:33 ]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [00-09-13 14:18 ]
R2 NuTCRACKERService;NuTCRACKER Service;C:\WINNT\System32\nutsrv4.exe [01-01-02 12:55 ]
R2 PCIGateway;Gateway32;"C:\Program Files\NetSupport Manager\gateway32.exe" [07-10-01 15:10 ]
R2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINNT\System32\inetsrv\inetinfo.exe [03-06-19 11:05 ]
R2 sysam;sysam;C:\Sybase\SYSAM-1_0\bin\lmgrd []
R2 tcaicchg;tcaicchg;C:\WINNT\System32\tcaicchg.sys [00-06-06 18:08 ]
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys [00-06-07 20:49 ]
R2 Tomcat5;Apache Tomcat;"C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" [04-08-28 22:06 ]
R3 EntDrv50;EntDrv50;C:\WINNT\system32\drivers\EntDrv50.sys [04-09-22 20:00 ]
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys [00-12-14 13:14 ]
S2 MSSQL$DS_002;MSSQL$DS_002;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe [00-08-06 01:50 ]
S3 icoyaSite;icoya OpenContent (icoyaSite);C:\PROGRA~1\struktur\ICOYAS~1\bin\lib\win32\PythonService.exe [03-07-07 16:58 ]
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [05-08-02 22:10 ]
S3 SQLAgent$DS_002;SQLAgent$DS_002;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe [00-08-06 01:50 ]
S3 SYBBCK_DS_001_BS;Sybase BCKServer _ DS_001_BS;c:\sybase\ASE-12_5\bin\bcksrvr.exe -SDS_001_BS []
S3 SYBMON_DS_001_MS;Sybase MONServer _ DS_001_MS;c:\sybase\ASE-12_5\bin\monsrvr.exe -MDS_001_MS []
S3 SYBSQL_DS_001;Sybase SQLServer _ DS_001;c:\sybase\ASE-12_5\bin\sqlsrvr.exe -sDS_001 []
S3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [00-07-26 18:04 ]
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [00-07-26 18:04 ]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [03-06-13 16:45 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 00:00:02 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 01:00:02 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 02:00:02 C:\WINNT\Tasks\At3.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 03:00:02 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 04:00:02 C:\WINNT\Tasks\At5.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 05:00:02 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 06:00:02 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 07:00:02 C:\WINNT\Tasks\At8.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 08:00:02 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 09:00:02 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 10:00:02 C:\WINNT\Tasks\At11.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 11:00:02 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 12:00:02 C:\WINNT\Tasks\At13.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 13:00:02 C:\WINNT\Tasks\At14.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 14:00:02 C:\WINNT\Tasks\At15.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 15:00:02 C:\WINNT\Tasks\At16.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 16:00:02 C:\WINNT\Tasks\At17.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 17:00:02 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 18:00:02 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 19:00:02 C:\WINNT\Tasks\At20.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 20:00:02 C:\WINNT\Tasks\At21.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 21:00:02 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 22:00:02 C:\WINNT\Tasks\At23.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 23:00:02 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\y44ig5kg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 13:43:42
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sybase EP Management Agent]
"ImagePath"="C:\Sybase\shared-1_0\bin\sybjsvc.exe -O -nv -a \"-snSybase EP Management Agent\" c:/sybase/SHARED-1_0/JRE_1_3\bin\java -classpath C:\Sybase\EAServer\java\lib\easclient.jar;C:\Sybase\EAServer\java\lib\easj2ee.jar;C:\Sybase\AgentManager-3_0_0\classes\cimbase.jar;C:\Sybase\AgentManager-3_0_0\classes\am.jar;C:\Sybase\AgentManager-3_0_0\classes\amclient.jar;C:\Sybase\shared-1_0\lib\xml.jar;C:\Sybase\shared-1_0\lib\log4j.jar;C:\Sybase\shared-1_0\lib\log4j-core.jar;C:\Sybase\jConnect-5_5/classes/jTDS2.jar;. -Dfile.encoding=8859_1 com.sybase.management.WBEM.am.Sybmag -F C:\Sybase\AgentManager-3_0_0\sybmag.props -o C:\Sybase\AgentManager-3_0_0\sybmag.log"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\SYSTEM32\winlogon.exe
-> C:\Program Files\NetSupport DNA\DNA\Client\Components\dnaapphook.dll

PROCESS: C:\WINNT\Explorer.EXE [5.00.3700.6690]
-> C:\Program Files\NetSupport DNA\DNA\Client\Components\dnaapphook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NetSupport Manager\client32.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\NetSupport Manager\gateway32.exe
C:\WINNT\system32\regsvc.exe
C:\Sybase\shared-1_0\bin\sybjsvc.exe
C:\Sybase\SYSAM-1_0\bin\lmgrd.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\Sybase\SYSAM-1_0\bin\SYBASE.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Sybase\EPASA-7_0_3\win32\dbsrv7.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
.
**************************************************************************
.
Completion time: 2008-02-01 13:48:24 - machine was rebooted [psharma]
ComboFix-quarantined-files.txt 2008-02-01 13:48:18


Hope this helps. Below is the new log from HijackThis:


Logfile of HijackThis v1.99.1
Scan saved at 13:51, on 2008-02-01
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NetSupport Manager\client32.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\NetSupport Manager\gateway32.exe
C:\WINNT\system32\regsvc.exe
C:\Sybase\shared-1_0\bin\sybjsvc.exe
C:\Sybase\SYSAM-1_0\bin\lmgrd.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\Sybase\SYSAM-1_0\bin\SYBASE.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Sybase\EPASA-7_0_3\win32\dbsrv7.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\SYSTEM32\TBCTRAY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195031678248
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O20 - Winlogon Notify: byxuurr - byxuurr.dll (file missing)
O20 - Winlogon Notify: vpesmpuf - vpesmpuf.dll (file missing)
O20 - Winlogon Notify: xxyvusr - xxyvusr.dll (file missing)
O20 - Winlogon Notify: yayyyaw - yayyyaw.dll (file missing)
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: CLIENT32 - NetSupport Ltd - C:\Program Files\NetSupport Manager\client32.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: icoya OpenContent (icoyaSite) (icoyaSite) - Unknown owner - C:\PROGRA~1\struktur\ICOYAS~1\bin\lib\win32\PythonService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetSupport DNA Client - NetSupport Ltd - C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Gateway32 (PCIGateway) - Unknown owner - C:\Program Files\NetSupport Manager\gateway32.exe" /* * (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sybase EP Management Agent - Unknown owner - C:\Sybase\shared-1_0\bin\sybjsvc.exe
O23 - Service: Sybase BCKServer _ DS_001_BS (SYBBCK_DS_001_BS) - Unknown owner - c:\sybase\ASE-12_5\bin\bcksrvr.exe (file missing)
O23 - Service: Sybase MONServer _ DS_001_MS (SYBMON_DS_001_MS) - Unknown owner - c:\sybase\ASE-12_5\bin\monsrvr.exe (file missing)
O23 - Service: Sybase SQLServer _ DS_001 (SYBSQL_DS_001) - Unknown owner - c:\sybase\ASE-12_5\bin\sqlsrvr.exe (file missing)
O23 - Service: sysam - Unknown owner - C:\Sybase\SYSAM-1_0\bin\lmgrd (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Could you please advise the next steps. Thanks again.
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 1 2008, 07:58 AM
Post #8


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
I just checked and running the Combefix seemed to have solved the problem.
I can use the windows explorer and control panel.
Thanks a lot for your help.
Go to the top of the page
 
+Quote Post
LDTate
post Feb 1 2008, 08:04 AM
Post #9


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP


Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
C:\WINNT\PCIRISVR.ST
C:\WINNT\SYSTEM32\fupxqtpo.ini
C:\WINNT\SYSTEM32\apsurlvu.tmp
C:\WINNT\SYSTEM32\lividncq.dll
C:\Program Files\rfv_7_20g.exe
C:\WINNT\system32\y44ig5kg.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuurr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vpesmpuf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvusr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyyaw]



Save this as Save this as "CFScript"




Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 1 2008, 08:12 AM
Post #10


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Do I still need to do this given that my initial problem is resolved?

I was not able to open windows explorer or My Computer or Control Panel. Everytime I clicked on any of this, the computer will refresh and come back after 2 sec.
This seems to have gone and now I can open all of this.

Please let me know if I need to do any of the steps further.
Many thanks.
Go to the top of the page
 
+Quote Post
LDTate
post Feb 1 2008, 08:15 AM
Post #11


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP


You are still infected. PLease follow the instructions. I will let you know when you're pc is clean. thumbup.gif
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 1 2008, 08:24 AM
Post #12


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Now that 'm trying to run ComboFix, it says "Cannot rename ComboFix to ComboFix. Please use another name". Am I doing something wrong?
Go to the top of the page
 
+Quote Post
LDTate
post Feb 1 2008, 08:28 AM
Post #13


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP


You need to restart the computer and try it again.
Go to the top of the page
 
+Quote Post
LDTate
post Feb 1 2008, 10:18 AM
Post #14


Forum God
Group Icon

Group: Root Admin
Posts: 48,343
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
MVP


Note:
You might think you're computer is clean but it isn't.
Go to the top of the page
 
+Quote Post
PrachiP
post Feb 4 2008, 05:15 AM
Post #15


New Member
*

Group: New Member
Posts: 8
Joined: 31-January 08
Member No.: 76,475
Operating System: Windows 2000 Professional
Hi there, Sorry for the delayed response.
Below is the log from ComboFix:

ComboFix 08-01-30.1 - 2008-02-04 9:16:05.3 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.269 [GMT 0:00]
Running from: C:\Documents and Settings\psharma\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\psharma\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\rfv_7_20g.exe
C:\WINNT\PCIRISVR.ST
C:\WINNT\SYSTEM32\apsurlvu.tmp
C:\WINNT\SYSTEM32\fupxqtpo.ini
C:\WINNT\SYSTEM32\lividncq.dll
C:\WINNT\system32\y44ig5kg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\rfv_7_20g.exe
C:\WINNT\PCIRISVR.ST
C:\WINNT\SYSTEM32\apsurlvu.tmp
C:\WINNT\SYSTEM32\fupxqtpo.ini
C:\WINNT\SYSTEM32\lividncq.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 09:06 . 08-02-04 09:06 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_600.dat
2008-02-01 13:02 . 08-02-01 13:02 <DIR> d-------- C:\Hijackthis
2008-02-01 09:50 . 08-02-01 09:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-01 09:50 . 08-02-01 09:50 <DIR> d-------- C:\Documents and Settings\psharma\Application Data\Malwarebytes
2008-01-25 15:22 . 08-01-25 15:23 <DIR> d-------- C:\Program Files\NetSupport DNA
2008-01-09 19:31 . 08-01-09 19:31 <DIR> d-------- C:\Program Files\Radmin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:54 20,480 ----a-w C:\WINNT\quit.exe
2007-12-17 16:08 --------- d-----w C:\Documents and Settings\psharma\Application Data\NetSupport
2007-12-17 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\NetSupport
2007-08-20 20:37 19,512 ----a-w C:\Documents and Settings\psharma\Application Data\GDIPFONTCACHEV1.DAT
2007-04-02 13:32 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2007-03-08 12:02 28,672 ----a-w C:\Documents and Settings\psharma\atwbxdet.dll
2007-03-07 11:51 0 ----a-w C:\Documents and Settings\psharma\hsqlprefs.dat
2006-09-11 15:50 19,512 ----a-w C:\Documents and Settings\wichmanne\Application Data\GDIPFONTCACHEV1.DAT
2006-07-10 17:05 31,192 ----a-w C:\Documents and Settings\shawj\Application Data\GDIPFONTCACHEV1.DAT
2006-03-06 14:57 19,512 ----a-w C:\Documents and Settings\amarteifios\Application Data\GDIPFONTCACHEV1.DAT
2006-01-20 18:16 19,512 ----a-w C:\Documents and Settings\wichmannd\Application Data\GDIPFONTCACHEV1.DAT
2005-11-30 15:23 19,512 ----a-w C:\Documents and Settings\vmehandru\Application Data\GDIPFONTCACHEV1.DAT
2005-08-04 15:12 19,512 ----a-w C:\Documents and Settings\newtonm.EC3SOLUTIONS\Application Data\GDIPFONTCACHEV1.DAT
2002-10-14 13:42 17,960 ----a-w C:\Documents and Settings\newtonm\Application Data\GDIPFONTCACHEV1.DAT
2002-10-07 15:33 65,960 ----a-w C:\Documents and Settings\devonaldi\Application Data\GDIPFONTCACHEV1.DAT
2002-04-19 13:40 20,664 ----a-w C:\Documents and Settings\alex\Application Data\GDIPFONTCACHEV1.DAT
2002-04-17 14:57 1,660,960 ----a-w C:\Program Files\mmssetup.exe
2002-03-01 17:14 17,576 ----a-w C:\Documents and Settings\shiela\Application Data\GDIPFONTCACHEV1.DAT
2002-02-12 16:51 17,576 ----a-w C:\Documents and Settings\weaverj\Application Data\GDIPFONTCACHEV1.DAT
2002-02-07 15:25 216,265 ----a-w C:\Program Files\14225.zip
2002-02-07 15:20 414,011 ----a-w C:\Program Files\18574.zip
2002-02-07 15:17 330,599 ----a-w C:\Program Files\14575.zip
2002-01-21 10:20 1,041,807 ----a-w C:\Program Files\dap5.exe
2002-01-21 09:25 5,177,300 ----a-w C:\Program Files\esdownloadresumer11.zip
2002-01-17 18:23 17,576 ----a-w C:\Documents and Settings\akandeo\Application Data\GDIPFONTCACHEV1.DAT
2001-09-29 23:14 35 ----a-w C:\Program Files\setup.ini
2001-04-10 07:58 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-04-10 07:58 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2000-07-26 07:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
2000-05-18 01:00 1,511,680 ----a-w C:\Program Files\InstMsiA.exe
2000-05-18 01:00 1,509,632 ----a-w C:\Program Files\InstMsiW.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="ctfmon.exe" [01-02-20 11:09 8192 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NuTCSetupEnviron"="C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe" [01-01-02 17:25 16384]
"SoDA Startup"="C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe" [01-10-15 18:13 114688]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\SYSTEM32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 12:03 36975]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [04-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [04-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [03-10-07 09:48 147514]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 39792]
"TraySantaCruz"="C:\WINNT\SYSTEM32\TBCTRAY.EXE" [00-07-26 17:46 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
discfix.lnk - C:\DELL\discfix.cmd [1980-01-01 75]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2001-11-30 09:31:36 69632]

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys [00-11-21 16:19 ]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 11:11 ]
R0 IntelATA;Intel Ultra ATA Controller;C:\WINNT\system32\DRIVERS\IntelAta.sys [01-03-23 00:00 ]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys [00-06-06 13:51 ]
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE [00-05-23 17:48 ]
R2 ActionAgent;ActionAgent;C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe [01-05-14 16:23 ]
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys [00-05-03 18:22 ]
R2 DLT;DLT;C:\Program Files\Dell\OpenManage\Client\DLT.exe [01-05-14 17:24 ]
R2 NetProbe;NetProbe Packet Driver;C:\WINNT\system32\DRIVERS\netprobe.sys [03-02-19 14:22 ]
R2 NetSupport DNA Client;NetSupport DNA Client;C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe [07-02-20 17:33 ]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [00-09-13 14:18 ]
R2 NuTCRACKERService;NuTCRACKER Service;C:\WINNT\System32\nutsrv4.exe [01-01-02 12:55 ]
R2 PCIGateway;Gateway32;"C:\Program Files\NetSupport Manager\gateway32.exe" [07-10-01 15:10 ]
R2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINNT\System32\inetsrv\inetinfo.exe [03-06-19 11:05 ]
R2 sysam;sysam;C:\Sybase\SYSAM-1_0\bin\lmgrd []
R2 tcaicchg;tcaicchg;C:\WINNT\System32\tcaicchg.sys [00-06-06 18:08 ]
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys [00-06-07 20:49 ]
R2 Tomcat5;Apache Tomcat;"C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" [04-08-28 22:06 ]
R3 EntDrv50;EntDrv50;C:\WINNT\system32\drivers\EntDrv50.sys [04-09-22 20:00 ]
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys [00-12-14 13:14 ]
S2 MSSQL$DS_002;MSSQL$DS_002;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe [00-08-06 01:50 ]
S3 icoyaSite;icoya OpenContent (icoyaSite);C:\PROGRA~1\struktur\ICOYAS~1\bin\lib\win32\PythonService.exe [03-07-07 16:58 ]
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [05-08-02 22:10 ]
S3 SQLAgent$DS_002;SQLAgent$DS_002;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe [00-08-06 01:50 ]
S3 SYBBCK_DS_001_BS;Sybase BCKServer _ DS_001_BS;c:\sybase\ASE-12_5\bin\bcksrvr.exe -SDS_001_BS []
S3 SYBMON_DS_001_MS;Sybase MONServer _ DS_001_MS;c:\sybase\ASE-12_5\bin\monsrvr.exe -MDS_001_MS []
S3 SYBSQL_DS_001;Sybase SQLServer _ DS_001;c:\sybase\ASE-12_5\bin\sqlsrvr.exe -sDS_001 []
S3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [00-07-26 18:04 ]
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [00-07-26 18:04 ]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [03-06-13 16:45 ]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 00:00:02 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 01:00:02 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 02:00:02 C:\WINNT\Tasks\At3.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 03:00:02 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 04:00:02 C:\WINNT\Tasks\At5.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 05:00:02 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 06:00:02 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 07:00:02 C:\WINNT\Tasks\At8.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 08:00:02 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 09:00:02 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 10:00:02 C:\WINNT\Tasks\At11.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 11:00:02 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 12:00:02 C:\WINNT\Tasks\At13.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-02-01 13:00:02 C:\WINNT\Tasks\At14.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 14:00:02 C:\WINNT\Tasks\At15.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 15:00:02 C:\WINNT\Tasks\At16.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 16:00:02 C:\WINNT\Tasks\At17.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 17:00:02 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 18:00:02 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 19:00:02 C:\WINNT\Tasks\At20.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 20:00:02 C:\WINNT\Tasks\At21.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 21:00:02 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 22:00:02 C:\WINNT\Tasks\At23.job"
- C:\WINNT\system32\y44ig5kg.exe
"2008-01-31 23:00:02 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\y44ig5kg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 09:18:21
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sybase EP Management Agent]
"ImagePath"="C:\Sybase\shared-1_0\bin\sybjsvc.exe -O -nv -a \"-snSybase EP Management Agent\" c:/sybase/SHARED-1_0/JRE_1_3\bin\java -classpath C:\Sybase\EAServer\java\lib\easclient.jar;C:\Sybase\EAServer\java\lib\easj2ee.jar;C:\Sybase\AgentManager-3_0_0\classes\cimbase.jar;C:\Sybase\AgentManager-3_0_0\classes\am.jar;C:\Sybase\AgentManager-3_0_0\classes\amclient.jar;C:\Sybase\shared-1_0\lib\xml.jar;C:\Sybase\shared-1_0\lib\log4j.jar;C:\Sybase\shared-1_0\lib\log4j-core.jar;C:\Sybase\jConnect-5_5/classes/jTDS2.jar;. -Dfile.encoding=8859_1 com.sybase.management.WBEM.am.Sybmag -F C:\Sybase\AgentManager-3_0_0\sybmag.props -o C:\Sybase\AgentManager-3_0_0\sybmag.log"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\SYSTEM32\winlogon.exe
-> C:\Program Files\NetSupport DNA\DNA\Client\Components\dnaapphook.dll
.
Completion time: 2008-02-04 9:19:28
ComboFix-quarantined-files.txt 2008-02-04 09:19:26
ComboFix3.txt 2008-02-01 13:48:26
ComboFix2.txt 2008-02-04 09:12:36


And the HijackThis log follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:14, on 2008-02-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NetSupport Manager\client32.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\NetSupport Manager\gateway32.exe
C:\WINNT\system32\regsvc.exe
C:\Sybase\shared-1_0\bin\sybjsvc.exe
C:\Sybase\SYSAM-1_0\bin\lmgrd.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\Sybase\SYSAM-1_0\bin\SYBASE.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Sybase\EPASA-7_0_3\win32\dbsrv7.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\IntelliJ-IDEA-3.0.1\bin\idea.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Embarcadero\RSQL603\RSQL603.exe
C:\java\j2sdk1.4.2\bin\javaw.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\SYSTEM32\TBCTRAY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195031678248
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ec3solutions.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: Domain = ec3solutions.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{CEB1D705-3F86-4904-9145-D8C0F97C4624}: NameServer = 192.168.0.3,192.168.0.8
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: CLIENT32 - NetSupport Ltd - C:\Program Files\NetSupport Manager\client32.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: icoya OpenContent (icoyaSite) (icoyaSite) - Unknown owner - C:\PROGRA~1\struktur\ICOYAS~1\bin\lib\win32\PythonService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetSupport DNA Client - NetSupport Ltd - C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Gateway32 (PCIGateway) - Unknown owner - C:\Program Files\NetSupport Manager\gateway32.exe" /* * (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sybase EP Management Agent - Unknown owner - C:\Sybase\shared-1_0\bin\sybjsvc.exe
O23 - Service: Sybase BCKServer _ DS_001_BS (SYBBCK_DS_001_BS) - Unknown owner - c:\sybase\ASE-12_5\bin\bcksrvr.exe (file missing)
O23 - Service: Sybase MONServer _ DS_001_MS (SYBMON_DS_001_MS) - Unknown owner - c:\sybase\ASE-12_5\bin\monsrvr.exe (file missing)
O23 - Service: Sybase SQLServer _ DS_001 (SYBSQL_DS_001) - Unknown owner - c:\sybase\ASE-12_5\bin\sqlsrvr.exe (file missing)
O23 - Service: sysam - Unknown owner - C:\Sybase\SYSAM-1_0\bin\lmgrd (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Please advise.
Go to the top of the page
 
+Quote Post
« Next Oldest · Infections Removal · Next Newest »
 

2 Pages V   1 2 >
Closed TopicStart new topic

 
RSS Time is now: 16th March 2010 - 10:52 PM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2010  IPS, Inc.