Sign in to follow this  
dariom70

Could you, please, help me - hijackthis log inside

Recommended Posts

Hi,

I have a lot of pop ups, CPU works on nearly 100%, comp is very slow.

As requested, I attach hijackthis log after last Ad- Aware scan.

 

Could you help me to resolve this problem?

 

Regards

dariom70

 

Logfile of HijackThis v1.99.1

Scan saved at 2:39:17 PM, on 8/29/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\system32\wkssvr.exe

C:\WINNT\Explorer.exe

C:\WINNT\SYSTEM32\DWRCST.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\dfndrff_14.exe

C:\nwnmff_14.exe

C:\WINNT\system32\internat.exe

C:\Documents and Settings\rbsboro\Local Settings\Application Data\Skype\Phone\Skype.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsboro\Local Settings\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.ericsson.com/page/hub_insi...bject_areas.jsp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www-proxy.ericsson.se:3132/accelerated_pac_base.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.ericsson.se:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.internal.ericsson.com;*.ericsson.se;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll

F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wkssvr.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp

O4 - HKLM\..\Run: [security Check] logincmd.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_14.exe

O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe

O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [skype] "C:\Documents and Settings\rbsboro\Local Settings\Application Data\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe (file missing)

O23 - Service: Windows Firewall (WinFWd) - NFe Soft - C:\WINNT\dllhost.exe

Share this post


Link to post
Share on other sites

1. Download this file - combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Share this post


Link to post
Share on other sites

Hi,

As you asked:

 

rbsdami - Wed 2006-08-30 9:50:36.05

ComboFix 06.08.27BT - Running from: C:\Documents and Settings\rbsdami\Desktop\Programi D

 

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

 

REGISTRY ENTRIES REMOVED:

 

[HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{68DBCF7F-E11F-4EA5-BDBC-888739B1D232}\InprocServer32]

@="C:\\WINNT\\system32\\kodbe.dll"

"ThreadingModel"="Apartment"

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

FILES REMOVED:

 

C:\WINNT\system32\hlpadt40.dll

C:\WINNT\system32\ijaksie.dll

C:\WINNT\system32\kodbe.dll

C:\WINNT\system32\mnbsync.dll

 

 

Granting sedebugprivilege to Administrators ... successful

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\dfndrff_13.exe

C:\dfndrff_14.exe

C:\drsmartload.exe

C:\drsmartload45a45f.exe

C:\drsmartload45a45g.exe

C:\drsmartload45a45h.exe

C:\drsmartload46a46f.exe

C:\drsmartload46a46g.exe

C:\drsmartload46a46h.exe

C:\drsmartload849a849f.exe

C:\drsmartload849a849g.exe

C:\drsmartload849a849h.exe

C:\kybrdff_14.exe

C:\MTE3NDI6ODoxNg.exe

C:\nwnmff_13.exe

C:\nwnmff_14.exe

C:\deskbar.exe

C:\Installer3.exe

C:\WINNT\uninstall_nmon.vbs

C:\Program Files\Deskbar

C:\Program Files\network monitor

C:\kybrdff_14.exe

C:\kybrdff_14.exe

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 ))))))))))))))))))))))))))))))))))

 

 

2006-08-30 09:10 358 --a------ C:\Combo.bat

2006-08-29 10:15 7,168 --a------ C:\WINNT\system32\rdriv.sys

2006-08-29 10:08 1,093,632 --------- C:\WINNT\lsass.exe

2006-08-29 09:46 0 --ahs---- C:\WINNT\system32\.exe

2006-08-28 14:31 20,448 --------- C:\WINNT\system32\net32a.exe

2006-08-28 08:12 20,480 --a------ C:\aol.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-08-29 09:46 0 --ahs---- C:\WINNT\system32\.exe

2006-08-28 10:24 -------- d-------- C:\Program Files\Windows SyncroAd

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"

"VRCNotify"="C:\\Program Files\\RACOM\\RACOM Internet Client\\VRCNotify.exe"

@=""

"WpsRePsw"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\WpsRePsw.EXE"

"StatusClient 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"

"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"

"Services"="C:\\WINNT\\system32\\5D.tmp"

"Security Check"="logincmd.exe"

"SmcService"="C:\\PROGRA~1\\Sygate\\SSA\\smc.exe -startgui"

"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""

"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Internat.exe"="internat.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

@=""

"Windows Kernel System Service"="wkssvr.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000001

"legalnoticecaption"="Important Legal Notice (v.1.0)"

"legalnoticetext"="These computer resources,specifically Internet access and E-mail,are provided for authorized users only. For legal,security and cost reasons,utilization and access of resources are monitored and recorded in log files. All information (whether business or personal) that is created,received,downloaded,stored,sent or otherwise processed can be accessed,reviewed,copied,recorded or deleted by Ericsson,in accordance with approved internal procedures,at any time if deemed necessary or appropriate,and without advance notice. Any evidence of unauthorized access or misuse of Ericsson resources may result in disciplinary actions,including termination of employment or assignment,and could subject a user to criminal prosecution. Your use of Ericsson's computer resources constitutes your consent to Ericsson's Policies and Directives,including the provisions stated above. IF YOU ARE NOT AN AUTHORIZED USER,PLEASE EXIT IMMEDIATELY"

"shutdownwithoutlogon"=dword:00000001

"RunLogonScriptSync"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

"Windows Kernel System Service"="wkssvr.exe"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

"ForceStartMenuLogOff"=dword:00000001

"NoWindowsUpdate"=dword:00000001

"NoWelcomeScreen"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000003

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00002002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

"Windows Kernel System Service"="wkssvr.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{6129C408-54BF-4A2B-AA6C-9CC5E737261F}"=""

 

 

 

Completion time: Wed 2006-08-30 9:55:47.46

ComboFix.txt

ComboFix2.txt

 

 

 

And HijackThis log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:13:47, on 30/08/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\net32a.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\dllcache\wksrvs.exe

C:\WINNT\dllhost.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\wkssvr.exe

C:\WINNT\SYSTEM32\DWRCST.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

c:\dfndrff_14.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINNT\RXJpY3Nzb24gVXNlcg\command.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

C:\WINNT\system32\HPBPRO.EXE

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wkssvr.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp

O4 - HKLM\..\Run: [security Check] logincmd.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe

O4 - HKLM\..\Run: [defender] c:\\dfndrff_14.exe

O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_14.exe

O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\rTsgprxy.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RXJpY3Nzb24gVXNlcg\command.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe

O23 - Service: Windows Firewall (WinFWd) - NFe Soft - C:\WINNT\dllhost.exe

Share this post


Link to post
Share on other sites

  • Download Delcmdservice.zip to your Desktop.
  • Now, unpack delcmdservice-folder to you desktop. (Click here for information for how to unpacking files)
  • Open the delcmdservice-folder on your desktop and double-click on DelReg.bat, a DOS-window will open and rapidly close - this is normal -
  • Now close thedelcmdservice-folder

* Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

  1. Unzip all files to a convenient location such as C:\Qoofix.
  2. Go to the folder you unzipped all files and run Qoofix.exe.
  3. Click Begin Removal and wait for the scan to finish.
  4. If an infection has been found, select yes to restart your computer.

1. Please download Ewido Anti-Malware

  • Install ewido anti-malware
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
     
    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.

    [*]The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display ("Update successful")

    [*]Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

 

2. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

4. Once in Safe Mode, Open Ewido:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

 

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and the contents of the Qoofix logfile with a new HiJackThis log.

Share this post


Link to post
Share on other sites

Hi,

Problem on a very begining, I can not finish Ewido Anti-Malware setup, it stops before I come to "I Agree" part.

 

Regards

dariom70

Share this post


Link to post
Share on other sites

I manged to install Evido. Now, problem is that when I start it in Safe mode it says " Something bed happend to application, error diagnostic file saved to.." !?

Share this post


Link to post
Share on other sites

Nevermind, do these steps please:

 

Please download Look2Me-Destroyer.exe to your desktop.

 

* Close all windows before continuing.

* Double-click Look2Me-Destroyer.exe to run it.

* Put a check next to Run this program as a task.

* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK

* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

* Once it's done scanning, click the Remove L2M button.

* You will receive a Done Scanning message, click OK.

* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.

* Your computer will then shutdown.

* Turn your computer back on.

* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

 

If you receive a message from your firewall about this program accessing the internet please allow it.

 

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Share this post


Link to post
Share on other sites

As you said:

 

 

Look2Me-Destroyer V1.0.12

 

Scanning for infected files.....

Scan started at 31.8.2006 14:39:12

 

Infected! C:\WINNT\system32\l6p20g7oe6.dll

Infected! C:\WINNT\system32\fp4003hme.dll

Infected! C:\WINNT\system32\gp80l3lm1.dll

Infected! C:\WINNT\system32\hytcpmib.dll

Infected! C:\WINNT\system32\hzboidps.dll

Infected! C:\WINNT\system32\iIssvcs.dll

Infected! C:\WINNT\system32\irdkcs32.dll

Infected! C:\WINNT\system32\l6p20g7oe6.dll

Infected! C:\WINNT\system32\mvn6l95s1.dll

Infected! C:\WINNT\system32\wpnsta.dll

Infected! C:\WINNT\system32\guard.tmp

 

Attempting to delete infected files...

 

Attempting to delete: C:\WINNT\system32\l6p20g7oe6.dll

C:\WINNT\system32\l6p20g7oe6.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\fp4003hme.dll

C:\WINNT\system32\fp4003hme.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\gp80l3lm1.dll

C:\WINNT\system32\gp80l3lm1.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\hytcpmib.dll

C:\WINNT\system32\hytcpmib.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\hzboidps.dll

C:\WINNT\system32\hzboidps.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\iIssvcs.dll

C:\WINNT\system32\iIssvcs.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\irdkcs32.dll

C:\WINNT\system32\irdkcs32.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\l6p20g7oe6.dll

C:\WINNT\system32\l6p20g7oe6.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\mvn6l95s1.dll

C:\WINNT\system32\mvn6l95s1.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\wpnsta.dll

C:\WINNT\system32\wpnsta.dll Deleted successfully!

 

Attempting to delete: C:\WINNT\system32\guard.tmp

C:\WINNT\system32\guard.tmp Deleted successfully!

 

Making registry repairs.

 

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2A3BCF3B-370C-4380-ADE1-5373B7B17A8D}"

HKCR\Clsid\{2A3BCF3B-370C-4380-ADE1-5373B7B17A8D}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{13AB8A93-B3A5-4C91-AE90-54BF7DFC403A}"

HKCR\Clsid\{13AB8A93-B3A5-4C91-AE90-54BF7DFC403A}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5D9A1D68-206B-49C5-B801-DC1212B3E4D0}"

HKCR\Clsid\{5D9A1D68-206B-49C5-B801-DC1212B3E4D0}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0880CADD-0F92-497D-8CCA-6E29DC5FCC88}"

HKCR\Clsid\{0880CADD-0F92-497D-8CCA-6E29DC5FCC88}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{44836CD4-BB03-4294-9377-A76471BD798D}"

HKCR\Clsid\{44836CD4-BB03-4294-9377-A76471BD798D}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{09C79D18-06C8-46FC-93E4-8DD164570DB6}"

HKCR\Clsid\{09C79D18-06C8-46FC-93E4-8DD164570DB6}

 

Restoring Windows certificates.

 

Replaced hosts file with default windows hosts file

 

 

Restoring SeDebugPrivilege for Administrators - Succeeded

 

 

 

And HijackThis:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:55:46, on 31/08/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\dllcache\wksrvs.exe

C:\WINNT\dllhost.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\nwnmff_14.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ESOE\ECC.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp

O4 - HKLM\..\Run: [security Check] logincmd.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe

O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe

O23 - Service: Windows Firewall (WinFWd) - NFe Soft - C:\WINNT\dllhost.exe

Share this post


Link to post
Share on other sites

Download SDFix and save it to your desktop.

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Share this post


Link to post
Share on other sites

SDFix can not be downloaded from this location. Tried from other locations found on internet but it is not posible to download proper file.

Share this post


Link to post
Share on other sites

* Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Share this post


Link to post
Share on other sites

As you said:

 

Logfile of HijackThis v1.99.1

Scan saved at 09:18:29, on 01/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp

O4 - HKLM\..\Run: [security Check] logincmd.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe

O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe (file missing)

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

 

And DrWeb report :

 

 

 

wksrvs.exe;C:\WINNT\system32\dllcache;Probably DLOADER.IRC.PWS.Trojan;Incurable.Moved.;

dllhost.exe;C:\WINNT;BackDoor.Servu.60;Incurable.Moved.;

nwnmff_14.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;

aol.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;

drsmartload.exe;C:\;Trojan.DownLoader.12431;Deleted.;

drsmartload45a45h.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;

drsmartload46a46h.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;

drsmartload849a849h.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;

Installer3.exe;C:\;Adware.Look2me;Incurable.Moved.;

MTE3NDI6ODoxNg.exe;C:\;Trojan.DownLoader.5013;Deleted.;

nwnmff_14.exe;C:\;Adware.DollarRevenue;;

Archicad_r2_crk.EXE;C:\Boba PC Old\unzipped\Archicad_6.5_R2_Int;Tool.GameCrack;Incurable.Moved.;

cmdinst.exe;C:\Documents and Settings\rbsboro\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.;

imloader.exe;C:\Documents and Settings\rbsboro\Local Settings\Temp\ImInstaller\IncrediMail;Adware.IncrediMail;Incurable.Moved.;

aol_start[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\DFJZLTCE;Adware.DollarRevenue;Incurable.Moved.;

dfndrff_13[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\DFJZLTCE;Adware.DollarRevenue;Incurable.Moved.;

kybrdff_13[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\DFJZLTCE;Adware.DollarRevenue;Incurable.Moved.;

dfndrff_14[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\KFDZ2QJ9;Adware.DollarRevenue;Incurable.Moved.;

drsmartload45a[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\KFDZ2QJ9;Adware.DollarRevenue;Incurable.Moved.;

kybrdff_14[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\MPANIVSV;Adware.DollarRevenue;Incurable.Moved.;

Installer[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\P8W7HP0X;Adware.Look2me;Incurable.Moved.;

loader[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\P8W7HP0X;Trojan.DownLoader.12431;Deleted.;

nwnmff_13[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\P8W7HP0X;Adware.DollarRevenue;Incurable.Moved.;

drsmartload849a[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\WDENQXA3;Adware.DollarRevenue;Incurable.Moved.;

installer[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\WDENQXA3;Trojan.Proxy.493;Incurable.Moved.;

MTE3NDI6ODoxNg[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\Y4I9ZHKW;Trojan.DownLoader.5013;Deleted.;

nwnmff_14[1].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\YXTY32D8;Adware.DollarRevenue;Incurable.Moved.;

drsmartload46a[2].exe;C:\Documents and Settings\rbsboro\Local Settings\Temporary Internet Files\Content.IE5\Z2R5DDF7;Adware.DollarRevenue;Incurable.Moved.;

cmdinst.exe;C:\Documents and Settings\rbsdami\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.;

drsmartload45a[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CDUN8DI7;Adware.DollarRevenue;Incurable.Moved.;

drsmartload849a[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CDUN8DI7;Adware.DollarRevenue;Incurable.Moved.;

nwnmff_14[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CDUN8DI7;Adware.DollarRevenue;Incurable.Moved.;

installer[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CPE3W5ER;Trojan.Proxy.493;Incurable.Moved.;

Installer[2].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\CPE3W5ER;Adware.Look2me;Incurable.Moved.;

kybrdff_14[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\G5M74H6R;Adware.DollarRevenue;Incurable.Moved.;

loader[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\G5M74H6R;Trojan.DownLoader.12431;Deleted.;

dfndrff_14[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\OXQ30PEB;Adware.DollarRevenue;Incurable.Moved.;

drsmartload46a[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\OXQ30PEB;Adware.DollarRevenue;Incurable.Moved.;

MTE3NDI6ODoxNg[1].exe;C:\Documents and Settings\rbsdami\Local Settings\Temporary Internet Files\Content.IE5\OXQ30PEB;Trojan.DownLoader.5013;Deleted.;

deskbar.dll;C:\Program Files\Deskbar;Adware.Softomate;Incurable.Moved.;

SM0151.DLL;C:\Scala 5.0\S_PACK\Skipped;Modification of Milan.Naziskin.335;Moved.;

imloader.exe;C:\WINNT\Downloaded Program Files;Adware.IncrediMail;Incurable.Moved.;

Share this post


Link to post
Share on other sites

* Please open hijackthis and put a check next to the following:

 

O4 - HKLM\..\Run: [services] C:\WINNT\system32\5D.tmp

O4 - HKLM\..\Run: [security Check] logincmd.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe

O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - HKLM\..\RunServices: [ntdll.dll] wkssvr.exe

O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Windows Socket System Service - Unknown owner - C:\WINNT\system32\dllcache\wksrvs.exe (file missing)

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

 

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

 

* After that, reboot and post a new hijackthis log here and tell me how everything is working.

Share this post


Link to post
Share on other sites

Here is the hijackthis log. It still works very slow, with nearly 100%.

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 09:28:44, on 04/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ESOE\EDMS\ECP.exe

C:\WINNT\system32\taskmgr.exe

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet

Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw]

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program

Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

/auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program

Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program

Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk =

C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate

Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program

Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program

Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program

Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM

Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program

Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP -

http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF:

JavaConnect -

http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 -

DPF: Sametime BC 651 -

http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16

- DPF: Sametime DA 651 -

http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16

- DPF: Sametime MRC 651 -

http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16

- DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory

Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF:

{2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) -

http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16

- DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) -

http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16

- DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) -

http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16

- DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16

- DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} -

http://www.photodex.com/pxplay.cab

O16 - DPF:

{F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -

http://www2.incredimail.com/contents/setup...er/imloader.cab

O17

- HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. -

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare

Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard

Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB

- C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB

- C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development

a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) -

Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies,

Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a)

- Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) -

Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec -

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate

Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support

(VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson

Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner -

C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 17:02:00, on 04/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Please run Notepad and copy the following text into a new file:

sc stop WinFWd

sc delete WinFWd

Save the file as remove.bat oin your desktop and make sure the "Save as type" field says "All files".

Now double-click on remove.bat on your desktop, a command promp will open shortly and close again.

 

Now, post a new hijackthis log here.

Share this post


Link to post
Share on other sites

Done. Here is the HijackThis log as you requested.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 08:40:36, on 05/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

 

WinFWd

 

Click OK.

 

It should pull up information about the service, then ask if you want to reboot. Click YES.

 

Post a new HiJackThis log after it reboots and let me know if you received any error messages.

Share this post


Link to post
Share on other sites

I have followed the procedure, but after I entered WinFWd and clicked OK I received the warning: "The service WinFWd is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window." I was not able to finish it and reboot.

Share this post


Link to post
Share on other sites

* Fix the following line first in hijackthis:

 

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

 

After that, try again. :(

Share this post


Link to post
Share on other sites
Please run Notepad and copy the following text into a new file:

 

Save the file as remove.bat oin your desktop and make sure the "Save as type" field says "All files".

Now double-click on remove.bat on your desktop, a command promp will open shortly and close again.

 

Now, post a new hijackthis log here.

Can you try remove.bat in safe mode?

Share this post


Link to post
Share on other sites
Sign in to follow this