dariom70 0 Report post Posted August 29, 2006 Hi, I have a lot of pop ups, CPU works on nearly 100%, comp is very slow. As requested, I attach hijackthis log after last Ad- Aware scan. Could you help me to resolve this problem? Regards dariom70 Logfile of HijackThis v1.99.1 Scan saved at 2:39:17 PM, on 8/29/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\system32\wkssvr.exe C:\WINNT\Explorer.exe C:\WINNT\SYSTEM32\DWRCST.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\dfndrff_14.exe C:\nwnmff_14.exe C:\WINNT\system32\internat.exe C:\Documents and Settings\rbsboro\Local Settings\Application Data\Skype\Phone\Skype.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\ORL\VNC\WinVNC.exe C:\Program Files\ESOE\ECC.exe C:\Program Files\ESOE\EDMS\ECP.exe C:\Program Files\WINZIP\winzip32.exe C:\Documents and Settings\rbsboro\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.ericsson.com/page/hub_insi...bject_areas.jsp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www-proxy.ericsson.se:3132/accelerated_pac_base.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.ericsson.se:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.internal.ericsson.com;*.ericsson.se;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wkssvr.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp O4 - HKLM\..\Run: [security Check] logincmd.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_14.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [skype] "C:\Documents and Settings\rbsboro\Local Settings\Application Data\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe (file missing) O23 - Service: Windows Firewall (WinFWd) - NFe Soft - C:\WINNT\dllhost.exe Share this post Link to post Share on other sites
jurgenv 0 Report post Posted August 29, 2006 1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Share this post Link to post Share on other sites
dariom70 0 Report post Posted August 30, 2006 Hi, As you asked: rbsdami - Wed 2006-08-30 9:50:36.05 ComboFix 06.08.27BT - Running from: C:\Documents and Settings\rbsdami\Desktop\Programi D ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}] @="" [HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}\InprocServer32] @="C:\\WINNT\\system32\\kodbe.dll" "ThreadingModel"="Apartment" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINNT\system32\hlpadt40.dll C:\WINNT\system32\ijaksie.dll C:\WINNT\system32\kodbe.dll C:\WINNT\system32\mnbsync.dll Granting sedebugprivilege to Administrators ... successful (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\dfndrff_13.exe C:\dfndrff_14.exe C:\drsmartload.exe C:\drsmartload45a45f.exe C:\drsmartload45a45g.exe C:\drsmartload45a45h.exe C:\drsmartload46a46f.exe C:\drsmartload46a46g.exe C:\drsmartload46a46h.exe C:\drsmartload849a849f.exe C:\drsmartload849a849g.exe C:\drsmartload849a849h.exe C:\kybrdff_14.exe C:\MTE3NDI6ODoxNg.exe C:\nwnmff_13.exe C:\nwnmff_14.exe C:\deskbar.exe C:\Installer3.exe C:\WINNT\uninstall_nmon.vbs C:\Program Files\Deskbar C:\Program Files\network monitor C:\kybrdff_14.exe C:\kybrdff_14.exe ((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 )))))))))))))))))))))))))))))))))) 2006-08-30 09:10 358 --a------ C:\Combo.bat 2006-08-29 10:15 7,168 --a------ C:\WINNT\system32\rdriv.sys 2006-08-29 10:08 1,093,632 --------- C:\WINNT\lsass.exe 2006-08-29 09:46 0 --ahs---- C:\WINNT\system32\.exe 2006-08-28 14:31 20,448 --------- C:\WINNT\system32\net32a.exe 2006-08-28 08:12 20,480 --a------ C:\aol.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-29 09:46 0 --ahs---- C:\WINNT\system32\.exe 2006-08-28 10:24 -------- d-------- C:\Program Files\Windows SyncroAd (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe" "VRCNotify"="C:\\Program Files\\RACOM\\RACOM Internet Client\\VRCNotify.exe" @="" "WpsRePsw"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\WpsRePsw.EXE" "StatusClient 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto" "TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe" "Services"="C:\\WINNT\\system32\\5D.tmp" "Security Check"="logincmd.exe" "SmcService"="C:\\PROGRA~1\\Sygate\\SSA\\smc.exe -startgui" "OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\"" "NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Internat.exe"="internat.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices] @="" "Windows Kernel System Service"="wkssvr.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000001 "legalnoticecaption"="Important Legal Notice (v.1.0)" "legalnoticetext"="These computer resources,specifically Internet access and E-mail,are provided for authorized users only. For legal,security and cost reasons,utilization and access of resources are monitored and recorded in log files. All information (whether business or personal) that is created,received,downloaded,stored,sent or otherwise processed can be accessed,reviewed,copied,recorded or deleted by Ericsson,in accordance with approved internal procedures,at any time if deemed necessary or appropriate,and without advance notice. Any evidence of unauthorized access or misuse of Ericsson resources may result in disciplinary actions,including termination of employment or assignment,and could subject a user to criminal prosecution. Your use of Ericsson's computer resources constitutes your consent to Ericsson's Policies and Directives,including the provisions stated above. IF YOU ARE NOT AN AUTHORIZED USER,PLEASE EXIT IMMEDIATELY" "shutdownwithoutlogon"=dword:00000001 "RunLogonScriptSync"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices] "Windows Kernel System Service"="wkssvr.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 "ForceStartMenuLogOff"=dword:00000001 "NoWindowsUpdate"=dword:00000001 "NoWelcomeScreen"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00002002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "internat.exe"="internat.exe" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices] "Windows Kernel System Service"="wkssvr.exe" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{6129C408-54BF-4A2B-AA6C-9CC5E737261F}"="" Completion time: Wed 2006-08-30 9:55:47.46 ComboFix.txt ComboFix2.txt And HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 10:13:47, on 30/08/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\WINNT\SYSTEM32\DWRCS.EXE C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\net32a.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\dllcache\wksrvs.exe C:\WINNT\dllhost.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\wkssvr.exe C:\WINNT\SYSTEM32\DWRCST.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe c:\dfndrff_14.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\Network Monitor\netmon.exe C:\WINNT\RXJpY3Nzb24gVXNlcg\command.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.exe C:\WINNT\system32\rundll32.exe C:\Program Files\WINZIP\winzip32.exe C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe C:\WINNT\system32\HPBPRO.EXE R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wkssvr.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp O4 - HKLM\..\Run: [security Check] logincmd.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe O4 - HKLM\..\Run: [defender] c:\\dfndrff_14.exe O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_14.exe O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\rTsgprxy.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RXJpY3Nzb24gVXNlcg\command.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe O23 - Service: Windows Firewall (WinFWd) - NFe Soft - C:\WINNT\dllhost.exe Share this post Link to post Share on other sites
jurgenv 0 Report post Posted August 30, 2006 Download Delcmdservice.zip to your Desktop. Now, unpack delcmdservice-folder to you desktop. (Click here for information for how to unpacking files) Open the delcmdservice-folder on your desktop and double-click on DelReg.bat, a DOS-window will open and rapidly close - this is normal - Now close thedelcmdservice-folder * Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip Unzip all files to a convenient location such as C:\Qoofix. Go to the folder you unzipped all files and run Qoofix.exe. Click Begin Removal and wait for the scan to finish. If an infection has been found, select yes to restart your computer. 1. Please download Ewido Anti-Malware Install ewido anti-malware Launch ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. [*]The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") [*]Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. 4. Once in Safe Mode, Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. 5. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and the contents of the Qoofix logfile with a new HiJackThis log. Share this post Link to post Share on other sites
dariom70 0 Report post Posted August 30, 2006 Hi, Problem on a very begining, I can not finish Ewido Anti-Malware setup, it stops before I come to "I Agree" part. Regards dariom70 Share this post Link to post Share on other sites
jurgenv 0 Report post Posted August 30, 2006 What do you mean? it freezes up? Please retry. Share this post Link to post Share on other sites
dariom70 0 Report post Posted August 31, 2006 I get message " Are you shure ... exit Evido setup" and then it desapiers. I have tried 50 times and still trying. Share this post Link to post Share on other sites
dariom70 0 Report post Posted August 31, 2006 I manged to install Evido. Now, problem is that when I start it in Safe mode it says " Something bed happend to application, error diagnostic file saved to.." !? Share this post Link to post Share on other sites
jurgenv 0 Report post Posted August 31, 2006 Nevermind, do these steps please: Please download Look2Me-Destroyer.exe to your desktop. * Close all windows before continuing. * Double-click Look2Me-Destroyer.exe to run it. * Put a check next to Run this program as a task. * You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK * When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. * Once it's done scanning, click the Remove L2M button. * You will receive a Done Scanning message, click OK. * When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. * Your computer will then shutdown. * Turn your computer back on. * Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Share this post Link to post Share on other sites
dariom70 0 Report post Posted August 31, 2006 As you said: Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 31.8.2006 14:39:12 Infected! C:\WINNT\system32\l6p20g7oe6.dll Infected! C:\WINNT\system32\fp4003hme.dll Infected! C:\WINNT\system32\gp80l3lm1.dll Infected! C:\WINNT\system32\hytcpmib.dll Infected! C:\WINNT\system32\hzboidps.dll Infected! C:\WINNT\system32\iIssvcs.dll Infected! C:\WINNT\system32\irdkcs32.dll Infected! C:\WINNT\system32\l6p20g7oe6.dll Infected! C:\WINNT\system32\mvn6l95s1.dll Infected! C:\WINNT\system32\wpnsta.dll Infected! C:\WINNT\system32\guard.tmp Attempting to delete infected files... Attempting to delete: C:\WINNT\system32\l6p20g7oe6.dll C:\WINNT\system32\l6p20g7oe6.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\fp4003hme.dll C:\WINNT\system32\fp4003hme.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\gp80l3lm1.dll C:\WINNT\system32\gp80l3lm1.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\hytcpmib.dll C:\WINNT\system32\hytcpmib.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\hzboidps.dll C:\WINNT\system32\hzboidps.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\iIssvcs.dll C:\WINNT\system32\iIssvcs.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\irdkcs32.dll C:\WINNT\system32\irdkcs32.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\l6p20g7oe6.dll C:\WINNT\system32\l6p20g7oe6.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\mvn6l95s1.dll C:\WINNT\system32\mvn6l95s1.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\wpnsta.dll C:\WINNT\system32\wpnsta.dll Deleted successfully! Attempting to delete: C:\WINNT\system32\guard.tmp C:\WINNT\system32\guard.tmp Deleted successfully! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2A3BCF3B-370C-4380-ADE1-5373B7B17A8D}" HKCR\Clsid\{2A3BCF3B-370C-4380-ADE1-5373B7B17A8D} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{13AB8A93-B3A5-4C91-AE90-54BF7DFC403A}" HKCR\Clsid\{13AB8A93-B3A5-4C91-AE90-54BF7DFC403A} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5D9A1D68-206B-49C5-B801-DC1212B3E4D0}" HKCR\Clsid\{5D9A1D68-206B-49C5-B801-DC1212B3E4D0} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0880CADD-0F92-497D-8CCA-6E29DC5FCC88}" HKCR\Clsid\{0880CADD-0F92-497D-8CCA-6E29DC5FCC88} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{44836CD4-BB03-4294-9377-A76471BD798D}" HKCR\Clsid\{44836CD4-BB03-4294-9377-A76471BD798D} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{09C79D18-06C8-46FC-93E4-8DD164570DB6}" HKCR\Clsid\{09C79D18-06C8-46FC-93E4-8DD164570DB6} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded And HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 14:55:46, on 31/08/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\WINNT\SYSTEM32\DWRCS.EXE C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\dllcache\wksrvs.exe C:\WINNT\dllhost.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\SYSTEM32\DWRCST.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\nwnmff_14.exe C:\WINNT\system32\internat.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\ESOE\ECC.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\Program Files\ESOE\EDMS\ECP.exe C:\Program Files\WINZIP\winzip32.exe C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp O4 - HKLM\..\Run: [security Check] logincmd.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe O23 - Service: Windows Firewall (WinFWd) - NFe Soft - C:\WINNT\dllhost.exe Share this post Link to post Share on other sites
jurgenv 0 Report post Posted August 31, 2006 Download SDFix and save it to your desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. In Safe Mode, right click the SDFix.zip folder and choose Extract All, Open the extracted folder and double click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log Share this post Link to post Share on other sites
dariom70 0 Report post Posted August 31, 2006 SDFix can not be downloaded from this location. Tried from other locations found on internet but it is not posible to download proper file. Share this post Link to post Share on other sites
jurgenv 0 Report post Posted August 31, 2006 * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, Click Options > Change settings Choose the "Scan"-tab, remove the mark at "Heuristic analysis". Back at the main window, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log. Share this post Link to post Share on other sites
dariom70 0 Report post Posted September 1, 2006 As you said: Logfile of HijackThis v1.99.1 Scan saved at 09:18:29, on 01/09/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\WINNT\SYSTEM32\DWRCS.EXE C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\Explorer.EXE C:\WINNT\SYSTEM32\DWRCST.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINNT\system32\internat.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\ORL\VNC\WinVNC.exe C:\Program Files\ESOE\ECC.exe C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE C:\Program Files\ESOE\EDMS\ECP.exe C:\Program Files\WINZIP\winzip32.exe C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp O4 - HKLM\..\Run: [security Check] logincmd.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe (file missing) O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing) And DrWeb report : wksrvs.exe;C:\WINNT\system32\dllcache;Probably DLOADER.IRC.PWS.Trojan;Incurable.Moved.; dllhost.exe;C:\WINNT;BackDoor.Servu.60;Incurable.Moved.; nwnmff_14.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; aol.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; drsmartload.exe;C:\;Trojan.DownLoader.12431;Deleted.; drsmartload45a45h.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; drsmartload46a46h.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; drsmartload849a849h.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; Installer3.exe;C:\;Adware.Look2me;Incurable.Moved.; MTE3NDI6ODoxNg.exe;C:\;Trojan.DownLoader.5013;Deleted.; nwnmff_14.exe;C:\;Adware.DollarRevenue;; Archicad_r2_crk.EXE;C:\Boba PC Old\unzipped\Archicad_6.5_R2_Int;Tool.GameCrack;Incurable.Moved.; cmdinst.exe;C:\Documents and Settings\rbsboro\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.; imloader.exe;C:\Documents and Settings\rbsboro\Local Settings\Temp\ImInstaller\IncrediMail;Adware.IncrediMail;Incurable.Moved.; aol_start[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\DFJZLTCE;Adware.DollarRevenue;Incurable.Moved.; dfndrff_13[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\DFJZLTCE;Adware.DollarRevenue;Incurable.Moved.; kybrdff_13[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\DFJZLTCE;Adware.DollarRevenue;Incurable.Moved.; dfndrff_14[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\KFDZ2QJ9;Adware.DollarRevenue;Incurable.Moved.; drsmartload45a[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\KFDZ2QJ9;Adware.DollarRevenue;Incurable.Moved.; kybrdff_14[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\MPANIVSV;Adware.DollarRevenue;Incurable.Moved.; Installer[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\P8W7HP0X;Adware.Look2me;Incurable.Moved.; loader[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\P8W7HP0X;Trojan.DownLoader.12431;Deleted.; nwnmff_13[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\P8W7HP0X;Adware.DollarRevenue;Incurable.Moved.; drsmartload849a[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\WDENQXA3;Adware.DollarRevenue;Incurable.Moved.; installer[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\WDENQXA3;Trojan.Proxy.493;Incurable.Moved.; MTE3NDI6ODoxNg[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\Y4I9ZHKW;Trojan.DownLoader.5013;Deleted.; nwnmff_14[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\YXTY32D8;Adware.DollarRevenue;Incurable.Moved.; drsmartload46a[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\Z2R5DDF7;Adware.DollarRevenue;Incurable.Moved.; cmdinst.exe;C:\Documents and Settings\rbsdami\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.; drsmartload45a[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CDUN8DI7;Adware.DollarRevenue;Incurable.Moved.; drsmartload849a[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CDUN8DI7;Adware.DollarRevenue;Incurable.Moved.; nwnmff_14[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CDUN8DI7;Adware.DollarRevenue;Incurable.Moved.; installer[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CPE3W5ER;Trojan.Proxy.493;Incurable.Moved.; Installer[2].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CPE3W5ER;Adware.Look2me;Incurable.Moved.; kybrdff_14[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\G5M74H6R;Adware.DollarRevenue;Incurable.Moved.; loader[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\G5M74H6R;Trojan.DownLoader.12431;Deleted.; dfndrff_14[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\OXQ30PEB;Adware.DollarRevenue;Incurable.Moved.; drsmartload46a[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\OXQ30PEB;Adware.DollarRevenue;Incurable.Moved.; MTE3NDI6ODoxNg[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\OXQ30PEB;Trojan.DownLoader.5013;Deleted.; deskbar.dll;C:\Program Files\Deskbar;Adware.Softomate;Incurable.Moved.; SM0151.DLL;C:\Scala 5.0\S_PACK\Skipped;Modification of Milan.Naziskin.335;Moved.; imloader.exe;C:\WINNT\Downloaded Program Files;Adware.IncrediMail;Incurable.Moved.; Share this post Link to post Share on other sites
jurgenv 0 Report post Posted September 1, 2006 * Please open hijackthis and put a check next to the following: O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp O4 - HKLM\..\Run: [security Check] logincmd.exe O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe (file missing) O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing) * After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis. * After that, reboot and post a new hijackthis log here and tell me how everything is working. Share this post Link to post Share on other sites
dariom70 0 Report post Posted September 4, 2006 Here is the hijackthis log. It still works very slow, with nearly 100%. Logfile of HijackThis v1.99.1 Scan saved at 09:28:44, on 04/09/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\WINNT\SYSTEM32\DWRCS.EXE C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\SYSTEM32\DWRCST.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINNT\system32\internat.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\ESOE\ECC.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\ESOE\EDMS\ECP.exe C:\WINNT\system32\taskmgr.exe C:\Program Files\WINZIP\winzip32.exe C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing) Share this post Link to post Share on other sites
jurgenv 0 Report post Posted September 4, 2006 Can you post the log normal please? Share this post Link to post Share on other sites
dariom70 0 Report post Posted September 4, 2006 Logfile of HijackThis v1.99.1 Scan saved at 17:02:00, on 04/09/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\WINNT\SYSTEM32\DWRCS.EXE C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\SYSTEM32\DWRCST.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINNT\system32\internat.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\ESOE\ECC.exe C:\Program Files\ESOE\EDMS\ECP.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\WINZIP\winzip32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing) Share this post Link to post Share on other sites
jurgenv 0 Report post Posted September 4, 2006 Please run Notepad and copy the following text into a new file: sc stop WinFWdsc delete WinFWd Save the file as remove.bat oin your desktop and make sure the "Save as type" field says "All files". Now double-click on remove.bat on your desktop, a command promp will open shortly and close again. Now, post a new hijackthis log here. Share this post Link to post Share on other sites
dariom70 0 Report post Posted September 5, 2006 Done. Here is the HijackThis log as you requested. Logfile of HijackThis v1.99.1 Scan saved at 08:40:36, on 05/09/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\WINNT\SYSTEM32\DWRCS.EXE C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\SYSTEM32\DWRCST.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINNT\system32\internat.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\ESOE\ECC.exe C:\Program Files\ESOE\EDMS\ECP.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\WINZIP\winzip32.exe C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing) Share this post Link to post Share on other sites
jurgenv 0 Report post Posted September 5, 2006 Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name): WinFWd Click OK. It should pull up information about the service, then ask if you want to reboot. Click YES. Post a new HiJackThis log after it reboots and let me know if you received any error messages. Share this post Link to post Share on other sites
dariom70 0 Report post Posted September 6, 2006 I have followed the procedure, but after I entered WinFWd and clicked OK I received the warning: "The service WinFWd is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window." I was not able to finish it and reboot. Share this post Link to post Share on other sites
jurgenv 0 Report post Posted September 6, 2006 * Fix the following line first in hijackthis: O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing) After that, try again. Share this post Link to post Share on other sites
dariom70 0 Report post Posted September 6, 2006 I did what you have told me to do, fixed the line in hijackthis, but after few attempts the same warning pops up. Share this post Link to post Share on other sites
jurgenv 0 Report post Posted September 6, 2006 Please run Notepad and copy the following text into a new file: Save the file as remove.bat oin your desktop and make sure the "Save as type" field says "All files". Now double-click on remove.bat on your desktop, a command promp will open shortly and close again. Now, post a new hijackthis log here. Can you try remove.bat in safe mode? Share this post Link to post Share on other sites