Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Pc Slowed From Errorsafe/winantivirus


  • This topic is locked This topic is locked
8 replies to this topic

#1 arcticwolf618

arcticwolf618

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 26 April 2007 - 02:59 PM

About a week ago I started getting pop ups in Internet Explorer even though I use Firefox. The pop-ups were advertising for ErrorSafe and Win AntiVirus Pro (not sure of exact name). This continued for a couple days and over the last few days my computer has slowed down noticeably to the point where it takes about 10 minutes to boot fully into XP (also using Novell Login). For the first couple days, Windows Explorer needed to be started manually through Task Manager.

I've since run Spybot S&D for the last 3-4 days and cleaned 38-54 items every time it has run. I've also run Adaware and cleaned using that tool. However, when my computer boots up, Explorer does start now but it is still taking a good 5-7 minutes to boot completely and I am still getting website pop-ups for ErrorSafe and WinAntiVirus along with dialog pop-ups.

Any help with this is GREATLY appreciated as it is now affecting the performance of all programs (eg. MS Word takes about 2-3 minutes to open 500K documents, new tabs and new pages in Firefox are delayed about 2 minutes, etc).

I ran Hijack This and the following is the latest scan after I ran Spybot S&D.

If there is more information needed, please let me know. Thank you very much in advance!!

Logfile of HijackThis v1.99.1
Scan saved at 4:55:30 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\Program Files\ActivCard\ActivClient\acautsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivCard\ActivClient\acachsrv.exe
C:\Program Files\ActivCard\ActivClient\acevents.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
c:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ActivCard\ActivClient\accrdsub.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivCard\ActivClient\acsagent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://notesbos/tss/...v.nsf/mainframe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?

LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?

LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.parexel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

provided by PAREXEL
O1 - Hosts: 12.4.65.137 iwrs-uat.perceptive.com
O1 - Hosts: 12.41.43.33 iwrs-uat.perceptive.com
O1 - Hosts: 172.24.220.225 colo-ora-002 colo-ora-002.parexel.com low-ora-102
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivCard\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel

PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\niqvedyp.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ActivCard ActivClient Agent.lnk = C:\Program

Files\ActivCard\ActivClient\acsagent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Application Window.lnk = C:\Program Files\Novell\ZENworks\NalWin.exe
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = C:\Program Files\AT&T Global Network

Client\NetGM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11

\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} -

C:\Program Files\Novell\ZENworks\AxNalServer.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pbd: C:\Program Files\Internet Explorer\PLUGINS\NPPBA050.DLL
O12 - Plugin for .psr: C:\Program Files\Internet Explorer\PLUGINS\NPDWE050.DLL
O14 - IERESET.INF: START_PAGE_URL=http://home.parexel.com
O15 - Trusted Zone: http://*.helpdesk
O15 - Trusted Zone: http://*.parexel-cms
O15 - Trusted Zone: http://home.parexel.com
O15 - Trusted Zone: http://www.parexel.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {5C62BA7F-2EC1-11D1-BE6B-00600831F894} (SvrRegistrar Class) - http://us-bos-

ap006/admin/download/SVRREG.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BE87196E-AA7C-11D2-9B53-00600831F0E4} (abraControllerPod111.LogOnDialog) - http://us-bos

-ap006/admin/Download/Support.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\Software\..\Telephony: DomainName = pii.pxl.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pii.pxl.int
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard Corp. - C:\Program

Files\ActivCard\ActivClient\acachsrv.exe
O23 - Service: ActivCard Authentication Client Service (acautsrv) - ActivCard Corp. - C:\Program

Files\ActivCard\ActivClient\acautsrv.exe
O23 - Service: ActivCard Middleware Service (Accoca) - ActivCard Corp. - C:\Program Files\Common

Files\ActivCard\accoca.exe
O23 - Service: ActivCard Event Service (acevents) - ActivCard Corp. - C:\Program

Files\ActivCard\ActivClient\acevents.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Aladdin Service - Unknown owner - C:\Program Files\Perceptive

Informatics\Aladdin\AladdinService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32

\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program

Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. -

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - c:\WINDOWS\system32

\RioMSC.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell,

Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program

Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32

\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 26 April 2007 - 03:14 PM

Open Notepad: Start > All Programs > Accessories > Notepad.
Click on Format and ensure that Wordwrap is unchecked. If it isn't, uncheck it.

Rename your copy of hijackthis.exe to seek.exe and post a fresh log run in Normal Mode. It's possible that a nasty is interfering with the normal working of HJT in order to hide itself and renaming the .exe will get around this.

Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

Death to the salad eaters!

#3 arcticwolf618

arcticwolf618

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 27 April 2007 - 09:27 AM

Thanks for the quick reply Noviciate!

Here's the new HJT log after renaming the .exe and below that is the uninstall_log.txt file.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 11:19:52 AM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\Program Files\ActivCard\ActivClient\acautsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivCard\ActivClient\acachsrv.exe
C:\Program Files\ActivCard\ActivClient\acevents.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
c:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ActivCard\ActivClient\accrdsub.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivCard\ActivClient\acsagent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~1\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\notepad.exe
C:\HJT\Hijackthis\seek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://notesbos/tss/...v.nsf/mainframe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.parexel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PAREXEL
O1 - Hosts: 12.4.65.137 iwrs-uat.perceptive.com
O1 - Hosts: 12.41.43.33 iwrs-uat.perceptive.com
O1 - Hosts: 172.24.220.225 colo-ora-002 colo-ora-002.parexel.com low-ora-102
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {106BCF95-B97E-4F46-8AB8-D8250ADC0D2E} - C:\WINDOWS\system32\khheb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6B89832E-D5CC-4586-8D3A-226D43572E6A} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\WINDOWS\system32\gebaxxy.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D9ECE36F-46B0-4FAC-BA58-F347DB4587B6} - C:\WINDOWS\system32\yayyv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivCard\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\niqvedyp.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ActivCard ActivClient Agent.lnk = C:\Program Files\ActivCard\ActivClient\acsagent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Application Window.lnk = C:\Program Files\Novell\ZENworks\NalWin.exe
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pbd: C:\Program Files\Internet Explorer\PLUGINS\NPPBA050.DLL
O12 - Plugin for .psr: C:\Program Files\Internet Explorer\PLUGINS\NPDWE050.DLL
O14 - IERESET.INF: START_PAGE_URL=http://home.parexel.com
O15 - Trusted Zone: http://*.helpdesk
O15 - Trusted Zone: http://*.parexel-cms
O15 - Trusted Zone: http://home.parexel.com
O15 - Trusted Zone: http://www.parexel.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5C62BA7F-2EC1-11D1-BE6B-00600831F894} (SvrRegistrar Class) - http://us-bos-ap006/...load/SVRREG.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BE87196E-AA7C-11D2-9B53-00600831F0E4} (abraControllerPod111.LogOnDialog) - http://us-bos-ap006/...oad/Support.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\Software\..\Telephony: DomainName = pii.pxl.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pii.pxl.int
O20 - Winlogon Notify: acautsrv - C:\Program Files\ActivCard\ActivClient\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivCard\ActivClient\acunlock.dll
O20 - Winlogon Notify: gebaxxy - C:\WINDOWS\SYSTEM32\gebaxxy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayyv - C:\WINDOWS\system32\yayyv.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acachsrv.exe
O23 - Service: ActivCard Authentication Client Service (acautsrv) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acautsrv.exe
O23 - Service: ActivCard Middleware Service (Accoca) - ActivCard Corp. - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: ActivCard Event Service (acevents) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acevents.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Aladdin Service - Unknown owner - C:\Program Files\Perceptive Informatics\Aladdin\AladdinService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - c:\WINDOWS\system32\RioMSC.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

Uninstall_log
Acoustica Effects Pack
ActivCard Access Smartcard
ActivCard ActivClient
ActivCard ActivClient Documentation 5.3
ActivCard ActivClient Registry
ActivCard Authentication Service
ActivCard Automatic Certificate Registration
ActivCard Base 5.03
ActivCard Base Configuration
ActivCard Cache
ActivCard Event Service
ActivCard Handler
ActivCard Java Smartcard
ActivCard Microsoft CAPI Support
ActivCard PCMCIA V3 Reader
ActivCard Pipe
ActivCard Reduced Sign On Base
ActivCard RSO Base
ActivCard USB Reader v2
Ad-Aware SE Personal
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Aladdin
Aladdin Language (8kHz) Pack
Apple Software Update
Ashampoo Burning Studio 6
AT&T Global Network Client
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Atmel
Attachmate 7.11 EXTRA
Broadcom Gigabit Integrated Controller
Broadcom Gigabit Integrated Controller
BSI 1.8
BSI 2.0
BSI 2.1
CAC Profile
Card Profiles V2
ClearType Tuning Control Panel Applet
Client for Check Point Firewall-1 Base
C-Major Audio
Conexant D480 MDC V.92 Modem
Configuration Manager
Cool Edit Pro 2.1
CS Profile 1
CSV1 Profile3
CVS1 Profile
CVS12 Profile
Diagnostic API
Diagnostic Tool
Diagnostic Tool Configuration
Drug Wars
Gemplus GemXpresso
Giesecke & Devrient SmartCafe
Guitar Pro 5.0
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
HP Deskjet 5900 series
IBM Host On-Demand EHLLAPI Bridge
IBM PCOMM
Intel® PROSet/Wireless Software
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 4
Java Application
LaserJet 1020 series
LimeWire 4.12.6
LiveReg (Symantec Corporation)
LiveUpdate 3.1 (Symantec Corporation)
Lotus Notes
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Organization Chart 2.0
Microsoft Visual SourceSafe 6.0
Microsoft Windows Journal Viewer
mIWA
mLogView
mMHouse
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.3)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
mWlsSafe
mWMI
mXML
mZConfig
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1)
NMAS Client (3.0.0.37)
Novell Client for Windows
Oberthur Cosmopolic
Oberthur Galactic
PKCS211
PowerDVD 5.1
QuickTime
Renex BlueZone
Rio Internet Update
Rio Music Manager
SAP Helper
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Shareaza version 2.2.1.0
SmartCard Agent
SmartCard Agent Configuration
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Spybot - Search & Destroy 1.4
SSH Secure Shell
Symantec AntiVirus
Symantec pcAnywhere
Terminal Emulator
TextPad 4.7
Toad for Oracle Freeware
Trillian
Troubleshooting Tool
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
User Console
User Console Configuration
WDDSPPAG
Web Logon
WebEx
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip
WinZip Command Line Support Add-On 1.1 SR-1
Zen_7_asset_management_1_1
ZENworks Desktop Management Agent

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 27 April 2007 - 01:24 PM

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.

There are a few free firewalls available.
Zone Alarm: Available here.
Kerio: Available here.
Outpost: Available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingc...tutorial60.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download VundoFix.exe by Atribune from here and save it to your desktop.
  • Close all open programs and windows as this may require a reboot.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove - in this case, VundoFix will run on reboot - simply repeat the above instructions.
Death to the salad eaters!

#5 arcticwolf618

arcticwolf618

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 30 April 2007 - 02:17 PM

I use this computer at work so I think the firewall is managed on a network level.

Here is the log from the Vundo file and below that is the new HJT log.
VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 3:52:24 PM 4/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\vyyay.bak1
C:\WINDOWS\system32\vyyay.bak2
C:\WINDOWS\system32\vyyay.ini
C:\WINDOWS\system32\yayyv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vyyay.bak1
C:\WINDOWS\system32\vyyay.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyyay.bak2
C:\WINDOWS\system32\vyyay.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyyay.ini
C:\WINDOWS\system32\vyyay.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayyv.dll
C:\WINDOWS\system32\yayyv.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:15:54 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\Program Files\ActivCard\ActivClient\acautsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivCard\ActivClient\acachsrv.exe
C:\Program Files\ActivCard\ActivClient\acevents.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
c:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ActivCard\ActivClient\accrdsub.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivCard\ActivClient\acsagent.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\Hijackthis\seek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://notesbos/tss/...v.nsf/mainframe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.parexel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PAREXEL
O1 - Hosts: 12.4.65.137 iwrs-uat.perceptive.com
O1 - Hosts: 12.41.43.33 iwrs-uat.perceptive.com
O1 - Hosts: 172.24.220.225 colo-ora-002 colo-ora-002.parexel.com low-ora-102
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {106BCF95-B97E-4F46-8AB8-D8250ADC0D2E} - C:\WINDOWS\system32\khheb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6B89832E-D5CC-4586-8D3A-226D43572E6A} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\WINDOWS\system32\gebaxxy.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivCard\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\niqvedyp.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ActivCard ActivClient Agent.lnk = C:\Program Files\ActivCard\ActivClient\acsagent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Application Window.lnk = C:\Program Files\Novell\ZENworks\NalWin.exe
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pbd: C:\Program Files\Internet Explorer\PLUGINS\NPPBA050.DLL
O12 - Plugin for .psr: C:\Program Files\Internet Explorer\PLUGINS\NPDWE050.DLL
O14 - IERESET.INF: START_PAGE_URL=http://home.parexel.com
O15 - Trusted Zone: http://*.helpdesk
O15 - Trusted Zone: http://*.parexel-cms
O15 - Trusted Zone: http://home.parexel.com
O15 - Trusted Zone: http://www.parexel.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5C62BA7F-2EC1-11D1-BE6B-00600831F894} (SvrRegistrar Class) - http://us-bos-ap006/...load/SVRREG.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BE87196E-AA7C-11D2-9B53-00600831F0E4} (abraControllerPod111.LogOnDialog) - http://us-bos-ap006/...oad/Support.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\Software\..\Telephony: DomainName = pii.pxl.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pii.pxl.int
O20 - Winlogon Notify: acautsrv - C:\Program Files\ActivCard\ActivClient\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivCard\ActivClient\acunlock.dll
O20 - Winlogon Notify: gebaxxy - C:\WINDOWS\SYSTEM32\gebaxxy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acachsrv.exe
O23 - Service: ActivCard Authentication Client Service (acautsrv) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acautsrv.exe
O23 - Service: ActivCard Middleware Service (Accoca) - ActivCard Corp. - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: ActivCard Event Service (acevents) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acevents.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Aladdin Service - Unknown owner - C:\Program Files\Perceptive Informatics\Aladdin\AladdinService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - c:\WINDOWS\system32\RioMSC.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 30 April 2007 - 03:25 PM

I use this computer at work so I think the firewall is managed on a network level.

Then I would suggest getting some IT people to take a look at it rather than fixing it yourself.
I'm sure your boss wouldn't mind paying somebody out of his/her profits rather than relying on free help. S/he could always make a donation to this site as well.

1) Run HJT and click on Open the Misc Tools section.
Click on delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\system32\gebaxxy.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

2) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {106BCF95-B97E-4F46-8AB8-D8250ADC0D2E} - C:\WINDOWS\system32\khheb.dll (file missing)
O2 - BHO: (no name) - {6B89832E-D5CC-4586-8D3A-226D43572E6A} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\WINDOWS\system32\gebaxxy.dll

O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\niqvedyp.dll",setvm

O20 - Winlogon Notify: gebaxxy - C:\WINDOWS\SYSTEM32\gebaxxy.dll


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

3) Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\system32\niqvedyp.dll

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


If the file won't delete, boot into Safe Mode and delete it there.

4) Run the following online scan: Panda ActiveScan.
  • Please note that IE is required to run this scan.
  • You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
  • Decide whether you want to click the radio button underneath this part that says -
    "I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable." - it's your choice!
  • When you are asked to "Select a device to scan...", click on "My Computer".
When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.
Death to the salad eaters!

#7 arcticwolf618

arcticwolf618

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 02 May 2007 - 09:26 AM

I know what you are saying about having IT look at the computer, but to be honest with you, they would just take my machine and reimage it before trying to even diagose the problem. I've had issues like this before and the 2 times I did have them look at it, they just listened to what I had to say and then proceeded to reimage the machine without backing up my files. Since I don't care to lose critical data again, I have been able to fix any issues that have come up since then. If I'm not able to fix it from the awesome help you're giving me, I'll just back everything up and hand it over to them.

I followed your steps below and have posted the ActiveScan log below. Underneath that is the latest HJT log. My computer has been running a bit quicker since I've been removing the items through the applications and steps you have provided. The WinAntiVirus Pro popups are still coming up, but not as often. The boot time is still taking about about 5-6 minutes for everything to load, but application load times (Office apps, Firefox, etc) have decreased dramatically.

ActiveScan log

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\auwginxr.dll



Logfile of HijackThis v1.99.1
Scan saved at 11:22:54 AM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\Program Files\ActivCard\ActivClient\acautsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivCard\ActivClient\acachsrv.exe
C:\Program Files\ActivCard\ActivClient\acevents.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
c:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ActivCard\ActivClient\accrdsub.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ActivCard\ActivClient\acsagent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Hijackthis\seek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://notesbos/tss/...v.nsf/mainframe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.parexel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PAREXEL
O1 - Hosts: 12.4.65.137 iwrs-uat.perceptive.com
O1 - Hosts: 12.41.43.33 iwrs-uat.perceptive.com
O1 - Hosts: 172.24.220.225 colo-ora-002 colo-ora-002.parexel.com low-ora-102
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\WINDOWS\system32\gebaxxy.dll
O2 - BHO: (no name) - {76839BEF-6FFE-44D9-A75C-C02B70748F52} - C:\WINDOWS\system32\tuvvw.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivCard\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\auwginxr.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ActivCard ActivClient Agent.lnk = C:\Program Files\ActivCard\ActivClient\acsagent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Application Window.lnk = C:\Program Files\Novell\ZENworks\NalWin.exe
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pbd: C:\Program Files\Internet Explorer\PLUGINS\NPPBA050.DLL
O12 - Plugin for .psr: C:\Program Files\Internet Explorer\PLUGINS\NPDWE050.DLL
O14 - IERESET.INF: START_PAGE_URL=http://home.parexel.com
O15 - Trusted Zone: http://*.helpdesk
O15 - Trusted Zone: http://*.parexel-cms
O15 - Trusted Zone: http://home.parexel.com
O15 - Trusted Zone: http://www.parexel.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5C62BA7F-2EC1-11D1-BE6B-00600831F894} (SvrRegistrar Class) - http://us-bos-ap006/...load/SVRREG.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE87196E-AA7C-11D2-9B53-00600831F0E4} (abraControllerPod111.LogOnDialog) - http://us-bos-ap006/...oad/Support.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\Software\..\Telephony: DomainName = pii.pxl.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pii.pxl.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pii.pxl.int
O20 - Winlogon Notify: acautsrv - C:\Program Files\ActivCard\ActivClient\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivCard\ActivClient\acunlock.dll
O20 - Winlogon Notify: gebaxxy - C:\WINDOWS\SYSTEM32\gebaxxy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: tuvvw - C:\WINDOWS\system32\tuvvw.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acachsrv.exe
O23 - Service: ActivCard Authentication Client Service (acautsrv) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acautsrv.exe
O23 - Service: ActivCard Middleware Service (Accoca) - ActivCard Corp. - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: ActivCard Event Service (acevents) - ActivCard Corp. - C:\Program Files\ActivCard\ActivClient\acevents.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Aladdin Service - Unknown owner - C:\Program Files\Perceptive Informatics\Aladdin\AladdinService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - c:\WINDOWS\system32\RioMSC.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

#8 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 02 May 2007 - 01:07 PM

The main problem at the moment is a Vundo infection that I hear has been recoded, which makes it less amenable to being removed. Yours is breeding at the minute.
This little sucker is well known for causing slow PCs which is what you're experiencing at the moment.
It's also a slime magnet and could be attracting the other nasty that seems to be reluctant to go.
If I can get rid of the Vundo files, the other one should go OK, so that's the challenge.
It could take a few attempts to remove, but I don't have anything better to do with my time, so it's up to you what you choose to do. Follow the instructions below if you don't want to nuke and pave and we'll see where that takes us.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download a fresh copy of Vundofix - it gets updated quite frequently and I want the latest version.
Double click Vundofix.exe:
  • Right click an empty area of the central window.
  • Click Add more files?
  • Copy and paste the following into separate boxes:
    • C:\WINDOWS\SYSTEM32\gebaxxy.dll
      C:\WINDOWS\system32\tuvvw.dll
  • Click Add File(s).
  • Click Close Window.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove - in this case, VundoFix will run on reboot - simply repeat the above instructions.

Download Combofix by sUBs from here and save it to your Desktop.
  • Double click combo.exe to run it and follow the prompts.
  • When the tool has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
Please Note:
  • Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
  • Disable Script Blocking if you have NAV installed as it will interfere with the normal working of this tool.
  • Trojan Hunter has been reported to detect this tool as Worm.Qiv.100 - please ignore this, it's a false-positive.

Death to the salad eaters!

#9 arcticwolf618

arcticwolf618

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 May 2007 - 12:35 PM

Hey Noviciate, Sorry for not replying sooner. But, the day after your last reply I was trying to run the things you suggested and noticed that my anti-virus was catching more than the normal amount of infected files. Soon after noticing this, my computer rebooted and I was faced with a blue screen message about a Device IRQL... error. So, I had to get it to IS as it wouldn't even boot up in safe mode. They couldn't fix the machine either, but I salvaged the hard disk and have a temp machine while my new computer is being shipped out to us. I appreciate all of your help and luckily this is over with and I didn't lose any data. Thanks again! Arcticwolf

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users