Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

POP UP'S And Malware


  • This topic is locked This topic is locked
10 replies to this topic

#1 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 November 2005 - 11:53 AM

I have a user who is experiencing system derogation. I have found snci.exe running under processes. When I queried your site continued to pop up. I desperately need help with this and have always been weary of Hijack this (only because I do not understand it).

I have ran an updated version of Pest patrol and Ad-aware. Both found and removed pest and are now running clean. I downloaded Hijack this and ran a scan.

Here is the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 12:36:12 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\??xplore.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\eaba\snci.exe
C:\WINDOWS\system32\taskmgr.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.caribex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {757A45CB-D828-8AFC-2BF4-D4F88CE0CF9E} - C:\WINDOWS\system32\evfvaj.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\rqrsq.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [_WinMain] C:\WINDOWS\winexec.exe
O4 - HKLM\..\Run: [0erUZ86I] C:\WINDOWS\hdgfjncs.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Tpdmrn.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Iguexhw] C:\WINDOWS\system32\??xplore.exe
O4 - HKCU\..\Run: [Tair] "C:\Program Files\eaba\snci.exe" -vt ndrv
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132155110943
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132155098793
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scans...iles/np_max.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = caribex.com
O17 - HKLM\Software\..\Telephony: DomainName = caribex.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = caribex.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = caribex.com
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhgf - jkhgf.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rqrsq - C:\WINDOWS\system32\rqrsq.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe



Any assistance with this is greatly appreciated.

Thank you
Lisa Travis

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 30 November 2005 - 02:29 PM

STEP 1.
======
SpySweeper
Please download WebRoot SpySweeper .
(It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
STEP 2.
======
Download Ewido
  • Download and install Ewido Security Suite It is a free trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
STEP 3.
======
Update Ewido
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

STEP 4.
======
Ewido Scan
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    o You will need to step through the process of cleaning files one-by-one.
    o If ewido detects a file you KNOW to be legitimate, select none as the action.
    o DO NOT select "Perform action on all infections"
    o If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


STEP 5.
======
CWShredder

Please download and run CWShredder
Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

STEP 6.
======

Please do an onlione scan here >>>> http://housecall.trendmicro.com/ and allow it to clean/remove what it finds.


Please post the results from SpySweeper, ewido and a new hijackthis log.

#3 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 01 December 2005 - 01:40 PM

Wow Siggyx, I appreciate the prompt response. When reviewing this website I appear the average response time was 5 days... So I read may of the post and decided to download every spyware removal tool suggested. I have ran CWshredder, Ad-aware, Spybot, Ewido, and Pest patrol, all in Safe mode. All of the programs have ran numerous times and removed multiple pests. I just downloaded your recommendation , Spysweeper. It is currently running in Diag. mode. Is this OK? As soon as it has completed I will post all the logs.... CWshedder did not find anything when ran Yesterday afternoon. And at the point Ewido, Pest patrol, Spybot, and Adware are showing no infections. But again Thank you for such a quick response and as soon as I have the logs to post I will do so... Lisa

#4 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 01 December 2005 - 03:45 PM

Spysweeper log
********
2:52 PM: | Start of Session, Thursday, December 01, 2005 |
2:52 PM: Spy Sweeper started
2:52 PM: Sweep initiated using definitions version 576
2:52 PM: Starting Memory Sweep
2:52 PM: Warning: Failed to load image: C:\WINDOWS\system32\rqrsq.dll
2:53 PM: Found Adware: virtumonde
2:53 PM: Detected running threat: C:\WINDOWS\SYSTEM32\rqrsq.dll (ID = 77)
2:57 PM: Memory Sweep Complete, Elapsed Time: 00:04:32
2:57 PM: Starting Registry Sweep
2:57 PM: Found Adware: cws-aboutblank
2:57 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
2:57 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
2:57 PM: Found Adware: dealhelper
2:57 PM: HKLM\software\microsoft\windows\currentversion\run\ || secure (ID = 124798)
2:57 PM: Found Adware: ezula ilookup
2:57 PM: HKLM\software\microsoft\webext\ (34 subtraces) (ID = 828947)
2:57 PM: Registry Sweep Complete, Elapsed Time:00:00:15
2:57 PM: Starting Cookie Sweep
2:57 PM: Found Spy Cookie: infospace cookie
2:57 PM: administrator@infospace[1].txt (ID = 2865)
2:57 PM: Found Spy Cookie: hbmediapro cookie
2:57 PM: rloseke@adopt.hbmediapro[2].txt (ID = 2768)
2:57 PM: Found Spy Cookie: cc214142 cookie
2:57 PM: rloseke@ads.cc214142[1].txt (ID = 2367)
2:57 PM: Found Spy Cookie: ask cookie
2:57 PM: rloseke@ask[1].txt (ID = 2245)
2:57 PM: Found Spy Cookie: starware.com cookie
2:57 PM: rloseke@h.starware[1].txt (ID = 3442)
2:57 PM: Found Spy Cookie: clickandtrack cookie
2:57 PM: rloseke@hits.clickandtrack[2].txt (ID = 2397)
2:57 PM: Found Spy Cookie: reliablestats cookie
2:57 PM: rloseke@stats1.reliablestats[2].txt (ID = 3254)
2:57 PM: rloseke@www.starware[1].txt (ID = 3442)
2:57 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:57 PM: Starting File Sweep
3:13 PM: tpdmrnk1.xml (ID = 57647)
3:13 PM: tpdmrnk.xml (ID = 57646)
3:20 PM: tpdmrnu2.xml (ID = 57651)
3:22 PM: tpdmrnu.xml (ID = 57649)
3:23 PM: tpdmrnu1.xml (ID = 57650)
3:31 PM: tpdmrnk2.xml (ID = 57648)
3:31 PM: Found Adware: quicklink search toolbar
3:31 PM: preuninstallql.exe (ID = 131326)
3:31 PM: tpdmrndk.xml (ID = 57645)
3:31 PM: newtpdmrntime.xml (ID = 163168)
3:32 PM: File Sweep Complete, Elapsed Time: 00:34:59
3:32 PM: Full Sweep has completed. Elapsed time 00:39:57
3:32 PM: Traces Found: 60
3:37 PM: Removal process initiated
3:37 PM: Quarantining All Traces: cws-aboutblank
3:37 PM: Quarantining All Traces: virtumonde
3:37 PM: virtumonde is in use. It will be removed on reboot.
3:37 PM: C:\WINDOWS\SYSTEM32\rqrsq.dll is in use. It will be removed on reboot.
3:37 PM: Quarantining All Traces: dealhelper
3:37 PM: Quarantining All Traces: ezula ilookup
3:37 PM: Quarantining All Traces: quicklink search toolbar
3:37 PM: Quarantining All Traces: ask cookie
3:37 PM: Quarantining All Traces: cc214142 cookie
3:37 PM: Quarantining All Traces: clickandtrack cookie
3:37 PM: Quarantining All Traces: hbmediapro cookie
3:37 PM: Quarantining All Traces: infospace cookie
3:37 PM: Quarantining All Traces: reliablestats cookie
3:37 PM: Quarantining All Traces: starware.com cookie
3:37 PM: Warning: Timed out waiting for explorer.exe
3:37 PM: Warning: Timed out waiting for explorer.exe
3:37 PM: Warning: Timed out waiting for explorer.exe
3:37 PM: Warning: Quarantine process could not restart Explorer.
3:38 PM: Removal process completed. Elapsed time 00:00:54
********
2:33 PM: | Start of Session, Thursday, December 01, 2005 |
2:33 PM: Spy Sweeper started
2:33 PM: Sweep initiated using definitions version 556
2:33 PM: Starting Memory Sweep
2:33 PM: Found Adware: virtumonde
2:33 PM: Detected running threat: C:\WINDOWS\SYSTEM32\rqrsq.dll (ID = 77)
2:34 PM: Memory Sweep Complete, Elapsed Time: 00:00:46
2:34 PM: Starting Registry Sweep
2:34 PM: Found Adware: cws-aboutblank
2:34 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
2:34 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
2:34 PM: Found Adware: dealhelper
2:34 PM: HKLM\software\microsoft\windows\currentversion\run\ || secure (ID = 124798)
2:34 PM: Registry Sweep Complete, Elapsed Time:00:00:09
2:34 PM: Starting Cookie Sweep
2:34 PM: Found Spy Cookie: infospace cookie
2:34 PM: administrator@infospace[1].txt (ID = 2865)
2:34 PM: Found Spy Cookie: hbmediapro cookie
2:34 PM: rloseke@adopt.hbmediapro[2].txt (ID = 2768)
2:34 PM: Found Spy Cookie: cc214142 cookie
2:34 PM: rloseke@ads.cc214142[1].txt (ID = 2367)
2:34 PM: Found Spy Cookie: ask cookie
2:34 PM: rloseke@ask[1].txt (ID = 2245)
2:34 PM: Found Spy Cookie: starware.com cookie
2:34 PM: rloseke@h.starware[1].txt (ID = 3442)
2:34 PM: Found Spy Cookie: clickandtrack cookie
2:34 PM: rloseke@hits.clickandtrack[2].txt (ID = 2397)
2:34 PM: Found Spy Cookie: reliablestats cookie
2:34 PM: rloseke@stats1.reliablestats[2].txt (ID = 3254)
2:34 PM: rloseke@www.starware[1].txt (ID = 3442)
2:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:34 PM: Starting File Sweep
2:37 PM: tpdmrnk1.xml (ID = 57647)
2:37 PM: tpdmrnk.xml (ID = 57646)
2:38 PM: tpdmrnu2.xml (ID = 57651)
2:39 PM: tpdmrnu.xml (ID = 57649)
2:39 PM: tpdmrnu1.xml (ID = 57650)
2:41 PM: tpdmrnk2.xml (ID = 57648)
2:41 PM: Found Adware: quicklink search toolbar
2:41 PM: preuninstallql.exe (ID = 131326)
2:41 PM: tpdmrndk.xml (ID = 57645)
2:41 PM: newtpdmrntime.xml (ID = 163168)
2:41 PM: File Sweep Complete, Elapsed Time: 00:07:12
2:41 PM: Full Sweep has completed. Elapsed time 00:08:14
2:41 PM: Traces Found: 25
2:52 PM: Your spyware definitions have been updated.
2:52 PM: Processing Hosts File Alerts
2:52 PM: Allowed Hosts File entry: zero
2:52 PM: | End of Session, Thursday, December 01, 2005 |
********
2:32 PM: | Start of Session, Thursday, December 01, 2005 |
2:32 PM: Spy Sweeper started
2:32 PM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 556
2:33 PM: | End of Session, Thursday, December 01, 2005 |


Ewido Log ---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:22:14 PM, 12/1/2005
+ Report-Checksum: 485DABDC

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup


::Report End



Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 4:39:58 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {757A45CB-D828-8AFC-2BF4-D4F88CE0CF9E} - C:\WINDOWS\system32\evfvaj.dll (file missing)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\rqrsq.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [_WinMain] C:\WINDOWS\winexec.exe
O4 - HKLM\..\Run: [0erUZ86I] C:\WINDOWS\hdgfjncs.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Tair] "C:\Program Files\eaba\snci.exe" -vt ndrv
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132155110943
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132155098793
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scans...iles/np_max.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = caribex.com
O17 - HKLM\Software\..\Telephony: DomainName = caribex.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = caribex.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = caribex.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhgf - jkhgf.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rqrsq - C:\WINDOWS\system32\rqrsq.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe




We are currently using Norton. All shows clean.. I am running the only scan from Trend Now.

Thank you
Lisa

#5 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 02 December 2005 - 07:40 AM

I completed the Trendmicro online scan. No Threats or Virus's found... System ran clean.

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 02 December 2005 - 08:21 AM

Scan with hijackthis and put a check beside these lines and choose FIX

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {757A45CB-D828-8AFC-2BF4-D4F88CE0CF9E} - C:\WINDOWS\system32\evfvaj.dll (file missing)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\rqrsq.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [_WinMain] C:\WINDOWS\winexec.exe
O4 - HKLM\..\Run: [0erUZ86I] C:\WINDOWS\hdgfjncs.exe
O4 - HKCU\..\Run: [Tair] "C:\Program Files\eaba\snci.exe" -vt ndrv

O20 - Winlogon Notify: jkhgf - jkhgf.dll (file missing)
O20 - Winlogon Notify: rqrsq - C:\WINDOWS\system32\rqrsq.dll (file missing)

Then reboot to safe mode (tap f8 while bios loads). Make sure all hidden files/folders are visable, tutorial >>> HERE

Then look for and delete these files if present

C:\WINDOWS\winexec.exe
C:\WINDOWS\hdgfjncs.exe
C:\Program Files\eaba\snci.exe

Reboot to normal mode scan and post a new hijackthis log please.

#7 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 02 December 2005 - 09:05 AM

Thank you for the response. I have completed the requested task. here is my new log.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:13 AM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\RLOSEKE\Desktop\HijackThis.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.caribex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Iguexhw] C:\WINDOWS\system32\??xplore.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132155110943
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132155098793
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scans...iles/np_max.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = caribex.com
O17 - HKLM\Software\..\Telephony: DomainName = caribex.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = caribex.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = caribex.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 02 December 2005 - 09:39 AM

Still a nasty in there . Boot to safe mode and scan with Ewido again, allowing it to remove what it finds then a new hijackthis log and ewido log please.

#9 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 02 December 2005 - 10:00 AM

It appears to be resolved but I will complete the above suggestions... Thank you Sooooooo Much. Once complete we will be making a donation.. Lisa

#10 Lisa Travis

Lisa Travis

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 02 December 2005 - 01:03 PM

Siggyx you rock! :rofl: Thank you for all your help. We ran Ewido in safe mode and it returned no infections found.... Happy Holidays..... Lisa

#11 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 02 December 2005 - 04:28 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users