Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91910 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack This Log,


  • This topic is locked This topic is locked
22 replies to this topic

#1 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 07 November 2005 - 08:09 PM

If anyone could assist me in removing these popups, I would be v grateful...

Regards Rob5

Logfile of HijackThis v1.99.1
Scan saved at 2:55:44, on 08-11-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\system32\ccs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\ircomm2k.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINNT\system32\am772cfg.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Cisco Aironet\ADU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\downloads\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 62.100.59.196 offcentric.com
O1 - Hosts: 62.100.59.196:25899 laptop
O1 - Hosts: 172.16.36.10 amsrs039 amsrs039.cgn.canon-europa.com
O1 - Hosts: 172.16.4.12 nas-cenv-ams2.cenv.canon.nl
O1 - Hosts: 193.42.251.103 amsrs048.cgn.canon-europa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINNT\system32\am772cfg.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [qumw] C:\PROGRA~1\COMMON~1\qumw\qumwm.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .rx: C:\Program Files\Attachmate\KEA! X\npacirx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cenv.cgn.mycanon.net/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINNT\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINNT\System32\ircomm2k.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome8ClientCache80 - Unknown owner - C:\oracle\Ora8\BIN\ONRSD80.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

    Advertisements

Register to Remove


#2 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 15 November 2005 - 02:21 PM

Hello and welcome to the forums. Sorry for the delay in responding, but we have been pretty busy here lately. Since your log might have changed since your last posting, I would like to see a new log. If you could please post a new log, I will be glad to review it.

#3 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 16 November 2005 - 06:42 AM

Hello and welcome to the forums. Sorry for the delay in responding, but we have been pretty busy here lately. Since your log might have changed since your last posting, I would like to see a new log. If you could please post a new log, I will be glad to review it.


Hi thanks for responding, here is the logfile

Regards

Rob

Logfile of HijackThis v1.99.1
Scan saved at 13:39:18, on 16-11-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINNT\system32\ccs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\ircomm2k.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINNT\system32\am772cfg.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Cisco Aironet\ADU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Peregrine\ServiceCenter\RUN\scguiw32.exe
D:\downloads\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 62.100.59.196 offcentric.com
O1 - Hosts: 62.100.59.196:25899 laptop
O1 - Hosts: 172.16.36.10 amsrs039 amsrs039.cgn.canon-europa.com
O1 - Hosts: 172.16.4.12 nas-cenv-ams2.cenv.canon.nl
O1 - Hosts: 193.42.251.103 amsrs048.cgn.canon-europa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINNT\system32\am772cfg.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [qumw] C:\PROGRA~1\COMMON~1\qumw\qumwm.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .rx: C:\Program Files\Attachmate\KEA! X\npacirx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cenv.cgn.mycanon.net/
O15 - Trusted Zone: http://www.kruidvat.nl
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprint...IPSUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINNT\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINNT\System32\ircomm2k.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome8ClientCache80 - Unknown owner - C:\oracle\Ora8\BIN\ONRSD80.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#4 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 16 November 2005 - 09:57 AM

You might have a LOP infection, which is most often transmitted by the program Messenger Plus! 3. Do you (or did you at any point) have Messenger Plus installed? If you still do have it installed, please uninstall it completely from Start -> Control Panel -> Add/Remove Programs, restart your computer, and then post a new HijackThis log.

If you did have it installed, but do not anymore, please do the following:

1) Reinstall Messenger Plus! 3 from scratch from here:
http://www.msgplus.net/

2) Make sure during installation to ACCEPT the optional sponsor software.

3) Then please uninstall Messenger Plus completely, restart your computer, and post a new HijackThis log. :)

#5 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 16 November 2005 - 10:23 AM

You might have a LOP infection, which is most often transmitted by the program Messenger Plus! 3. Do you (or did you at any point) have Messenger Plus installed? If you still do have it installed, please uninstall it completely from Start -> Control Panel -> Add/Remove Programs, restart your computer, and then post a new HijackThis log.

If you did have it installed, but do not anymore, please do the following:

1) Reinstall Messenger Plus! 3 from scratch from here:
http://www.msgplus.net/

2) Make sure during installation to ACCEPT the optional sponsor software.

3) Then please uninstall Messenger Plus completely, restart your computer, and post a new HijackThis log. :)


Hi, Yes I did have messenger plus 3 installed the uninstall failed, so I re-installed > accepted teh sponsor program and then uninstalled > Then rebooted and re-ran HijackThis logfile is below...

Regards

Rob

Logfile of HijackThis v1.99.1
Scan saved at 17:19:43, on 16-11-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINNT\system32\ccs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\ircomm2k.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINNT\system32\am772cfg.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Cisco Aironet\ADU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trillian\trillian.exe
D:\downloads\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qnxyjbmtb...j58HnsBAPWI.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 62.100.59.196 offcentric.com
O1 - Hosts: 62.100.59.196:25899 laptop
O1 - Hosts: 172.16.36.10 amsrs039 amsrs039.cgn.canon-europa.com
O1 - Hosts: 172.16.4.12 nas-cenv-ams2.cenv.canon.nl
O1 - Hosts: 193.42.251.103 amsrs048.cgn.canon-europa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINNT\system32\am772cfg.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [qumw] C:\PROGRA~1\COMMON~1\qumw\qumwm.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .rx: C:\Program Files\Attachmate\KEA! X\npacirx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cenv.cgn.mycanon.net/
O15 - Trusted Zone: http://www.kruidvat.nl
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprint...IPSUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINNT\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINNT\System32\ircomm2k.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome8ClientCache80 - Unknown owner - C:\oracle\Ora8\BIN\ONRSD80.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#6 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 16 November 2005 - 02:28 PM

Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection:
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Next, open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

Please run HijackThis and click "Scan." Place checks next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qnxyjbmtb...j58HnsBAPWI.jsp
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [qumw] C:\PROGRA~1\COMMON~1\qumw\qumwm.exe


Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Delete the following files and folders:
C:\Program Files\Common Files\qumw <--This folder and its contents.

Reboot your computer and post a new HJT log.

#7 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 17 November 2005 - 04:32 AM

Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection:

  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Next, open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

Please run HijackThis and click "Scan." Place checks next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qnxyjbmtb...j58HnsBAPWI.jsp
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [qumw] C:\PROGRA~1\COMMON~1\qumw\qumwm.exe


Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Delete the following files and folders:
C:\Program Files\Common Files\qumw <--This folder and its contents.

Reboot your computer and post a new HJT log.


Hi,

I've followed the instructions above and the logfile after reboot is below:

However as I was closing all other windows a blue fullscreen frameless popup appeared and informed me that a program called SpySpotter was installing, and despite closing all windows and trying to kill the install with task manager, it actually managed to install and I have a nice shiny desktop icon which I haven't dared to click. I can't believe it's legal to write installers like this...

Anyway here's the log

cheers

Rob


Logfile of HijackThis v1.99.1
Scan saved at 11:23:41, on 17-11-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINNT\system32\ccs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\ircomm2k.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINNT\system32\am772cfg.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Cisco Aironet\ADU.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\downloads\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
O1 - Hosts: 62.100.59.196 offcentric.com
O1 - Hosts: 62.100.59.196:25899 laptop
O1 - Hosts: 172.16.36.10 amsrs039 amsrs039.cgn.canon-europa.com
O1 - Hosts: 172.16.4.12 nas-cenv-ams2.cenv.canon.nl
O1 - Hosts: 193.42.251.103 amsrs048.cgn.canon-europa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINNT\system32\am772cfg.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .rx: C:\Program Files\Attachmate\KEA! X\npacirx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cenv.cgn.mycanon.net/
O15 - Trusted Zone: http://www.kruidvat.nl
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CEU.canon.eu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ceu.canon.eu,emea.canon.intra,cenv.canon.nl,local.canon-europa.com,cgn.canon-europa.com,canon-europe.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINNT\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINNT\System32\ircomm2k.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome8ClientCache80 - Unknown owner - C:\oracle\Ora8\BIN\ONRSD80.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#8 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 17 November 2005 - 09:49 AM

In the future, please use the "Post Reply" button. Let's make sure we got the remnants of LOP. Open notepad and copy and paste next in it:

dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.
Doubleclick on op findjobs.bat and post the content of the txtfile you get in your next reply.

#9 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 17 November 2005 - 10:43 AM

Hi, Sorry bear with me please, I can't see any post reply button, all there seems to be is "reply" or "fast reply" or "add reply". Here's the output: Volume in drive C is Operating System Volume Serial Number is 9CC2-619F Directory of C:\WINNT\tasks 16-11-05 17:06 <DIR> . 16-11-05 17:06 <DIR> .. 07-12-99 13:00 65 desktop.ini 17-11-05 11:19 6 SA.DAT 15-11-05 04:00 344 XoftSpy.job 3 File(s) 415 bytes Directory of C:\Documents and Settings\Rob.Simmons.CEU\Desktop Can you reccomend any software to stop this happening again, I have corporate norton Anti-Virus, ad-aware and Microsoft antispyware and this stuff just went straight past as if they weren't there... Regards Rob

#10 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 18 November 2005 - 11:24 AM

Ok, LOP is gone now. Is there an entry in the Add/Remove Programs screen for SpySpotter? If so, try uninstalling that way.

    Advertisements

Register to Remove


#11 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 18 November 2005 - 04:27 PM

Great, yes there was an uninstall option and it's gone... Thanks very much for the help Regards Rob

#12 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 19 November 2005 - 12:39 AM

Can we try another scan? Please download the trial version of Ewido Security Suite here. Install it, and update the definitions to the newest files. Run the scan and allow it fix what it finds. Please post the Ewido log for me to review.

#13 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 19 November 2005 - 04:57 AM

hI, Ewido installed and here's the log --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 11:55:11, 19-11-05 + Report-Checksum: E3BCF779 + Scan result: HKLM\SOFTWARE\Classes\Interface\{1108D63A-E840-44E8-8BDA-E7AA4E63A39F} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{1108D63A-E840-44E8-8BDA-E7AA4E63A39F}\TypeLib\\ -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{706CD395-232A-460C-9F34-03174CEED804} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{706CD395-232A-460C-9F34-03174CEED804}\TypeLib\\ -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\TypeLib\{B438E899-8E85-41D3-B42A-0ED73EBCF3CB} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\VacPro.olanda_ver3 -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\VacPro.olanda_ver3\Clsid -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\VacPro.olanda_ver3\Clsid\\ -> Spyware.RoingsSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/olanda_ver3.ocx\\.Owner -> Spyware.RoingsSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/olanda_ver3.ocx\\{018A066F-584A-422F-AC4C-0B1F5FE5C040} -> Spyware.RoingsSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/objsafe.tlb\\.Owner -> Spyware.RoingsSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/objsafe.tlb\\{018A066F-584A-422F-AC4C-0B1F5FE5C040} -> Spyware.RoingsSearch : Cleaned with backup C:\Documents and Settings\rob.simmons.AMS4952\Cookies\rob.simmons@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Rob.Simmons.CEU\Cookies\rob.simmons@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Rob.Simmons.CEU\Cookies\rob.simmons@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Rob.Simmons.CEU\Cookies\rob.simmons@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Rob.Simmons.CEU\Cookies\rob.simmons@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup C:\Documents and Settings\Rob.Simmons.CEU\Local Settings\Temp\Cookies\rob.simmons@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup C:\Documents and Settings\Rob.Simmons.CEU\Local Settings\Temp\Cookies\rob.simmons@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup ::Report End

#14 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 20 November 2005 - 12:52 AM

Ok, let's try one more, if you don't mind. First though, let's clean up your cache. Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Once installed, run CCleaner click the Windows [tab]
Select the following:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit.

Reboot, then please download the free MWAV antivirus tool from here. Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window. Please remove any lines relating to "Invalid object" as they are not needed at this time.

#15 rob5

rob5

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 20 November 2005 - 08:32 AM

Hi, CC Cleaner, system rebooted mwav run and log output below: Regards Rob File C:\PROGRA~1\RealVNC\WinVNC\WinVNC.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken. Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "errorguard Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "precisiontime Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "errorguard Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "precisiontime Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "yoursitebar Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "clipgenie Spyware/Adware" found in File System! Action Taken: No Action Taken. "C:\DOCUME~1\ROBSIM~1.CEU\LOCALS~1\Temp\PPT11.0\ShockwaveFlashObjects.exd". Action Taken: No Action Taken. "C:\DOCUME~1\ROBSIM~1.CEU\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken. "C:\DOCUME~1\ROBSIM~1.CEU\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken. File C:\WINNT\system32\ddrinf32.exe infected by "Trojan.Win32.Crypt.t" Virus! Action Taken: No Action Taken. File C:\Documents and Settings\All Users\Application Data\Drawlicenseonlinecast\pollthis.exe tagged as "not-a-virus:AdWare.Win32.Lop.ag". Action Taken: No Action Taken. File C:\Documents and Settings\Rob.Simmons.CEU\.jpi_cache\jar\1.0\arr3.jar-5a0e29fe-3fff7aa7.zip infected by "Trojan.Java.ClassLoader.i" Virus! Action Taken: No Action Taken. File C:\Documents and Settings\Rob.Simmons.CEU\.jpi_cache\jar\1.0\arr3.jar-67623ec7-3670a8b0.zip infected by "Trojan.Java.ClassLoader.i" Virus! Action Taken: No Action Taken. File C:\Documents and Settings\Rob.Simmons.CEU\.jpi_cache\jar\1.0\count3.jar-7d2c9337-783ad709.zip infected by "Trojan.Java.ClassLoader.ai" Virus! Action Taken: No Action Taken. File C:\Program Files\RealVNC\WinVNC\othread2.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken. File C:\Program Files\RealVNC\WinVNC\vnchooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken. File C:\WINNT\system32\ddrinf32.exe infected by "Trojan.Win32.Crypt.t" Virus! Action Taken: No Action Taken. File D:\downloads\Montpellier - RAC Course\R 11.5.9\tools\vnc\x86\vnc-3.3.3r9_x86_win32.zip tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.333. No Action Taken. File D:\downloads\radmin\RADMIN21.EXE tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken. File D:\downloads\radmin\radmin21.zip tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken. File D:\downloads\vnc\server&viewer\vnc-3.3.7-x86_win32.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken. File D:\downloads\vnc\vnc-3.3.7-x86_win32.zip tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users