Sign in to follow this  
dariom70

Could you, please, help me - hijackthis log inside

Recommended Posts

I did the remove.bat in safe mode. Do you want me to send you the hijackthis log or I should proceed with the next step in HijackThis ("Delete an NT Service")?

Share this post


Link to post
Share on other sites

Here it is.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:04:52, on 06/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

1. Download this file - combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Share this post


Link to post
Share on other sites

rbsdami - Thu 07/09/2006 8:27:46.79

ComboFix 06.09.04BT - Running from: C:\Documents and Settings\rbsdami\Desktop

 

Microsoft Windows 2000 [Version 5.00.2195]

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\deskbar.exe

C:\WINNT\uninstall_nmon.vbs

C:\WINNT\system32\atmtd.dll

C:\WINNT\system32\atmtd.dll._

C:\Documents and Settings\Default User\Application Data\NetMon

C:\Program Files\Deskbar

C:\Program Files\network monitor

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-08-07 to 2006-09-07 ))))))))))))))))))))))))))))))))))

 

 

2006-08-29 10:15 7,168 --a------ C:\WINNT\system32\rdriv.sys

2006-08-29 10:08 1,093,632 --------- C:\WINNT\lsass.exe

2006-08-29 09:46 0 --ahs---- C:\WINNT\system32\.exe

2006-08-28 14:31 20,448 --------- C:\WINNT\system32\net32a.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-09-04 13:33 -------- d-------- C:\Documents and Settings\rbsdami\Application Data\Real

2006-08-31 11:35 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0

2006-08-31 09:21 -------- d-------- C:\Documents and Settings\rbsdami\Application Data\Help

2006-08-29 09:46 0 --ahs---- C:\WINNT\system32\.exe

2006-08-28 10:24 -------- d-------- C:\Program Files\Windows SyncroAd

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"

"VRCNotify"="C:\\Program Files\\RACOM\\RACOM Internet Client\\VRCNotify.exe"

@=""

"WpsRePsw"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\WpsRePsw.EXE"

"StatusClient 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"

"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"

"SmcService"="C:\\PROGRA~1\\Sygate\\SSA\\smc.exe -startgui"

"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""

"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Internat.exe"="internat.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000001

"legalnoticecaption"="Important Legal Notice (v.1.0)"

"legalnoticetext"="These computer resources,specifically Internet access and E-mail,are provided for authorized users only. For legal,security and cost reasons,utilization and access of resources are monitored and recorded in log files. All information (whether business or personal) that is created,received,downloaded,stored,sent or otherwise processed can be accessed,reviewed,copied,recorded or deleted by Ericsson,in accordance with approved internal procedures,at any time if deemed necessary or appropriate,and without advance notice. Any evidence of unauthorized access or misuse of Ericsson resources may result in disciplinary actions,including termination of employment or assignment,and could subject a user to criminal prosecution. Your use of Ericsson's computer resources constitutes your consent to Ericsson's Policies and Directives,including the provisions stated above. IF YOU ARE NOT AN AUTHORIZED USER,PLEASE EXIT IMMEDIATELY"

"shutdownwithoutlogon"=dword:00000001

"RunLogonScriptSync"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

"ForceStartMenuLogOff"=dword:00000001

"NoWindowsUpdate"=dword:00000001

"NoWelcomeScreen"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000003

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00002002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

"^SetupICWDesktop"=""

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

"Windows Kernel System Service"="wkssvr.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{6129C408-54BF-4A2B-AA6C-9CC5E737261F}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

 

 

Completion time: Thu 2006-09-07 8:29:28.29

ComboFix.txt

ComboFix2.txt

ComboFix3.txt

Share this post


Link to post
Share on other sites

Please download the Killbox by Option^Explicit.

 

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

     

    C:\WINNT\system32\rdriv.sys

    C:\WINNT\system32\.exe

    C:\WINNT\system32\net32a.exe

     

     

     

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

     

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

 

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

 

After that, do again a scan with combofix and post the log here with a new hijackthis log. :(

Share this post


Link to post
Share on other sites

I have done what you told me to. I did not receive the message "PendingFileRenameOperations prompt".

 

Here are the combofix and hijackthis log:

 

 

 

rbsdami - Thu 07/09/2006 17:20:38.50

ComboFix 06.09.04BT - Running from: C:\Documents and Settings\rbsdami\Desktop

 

Microsoft Windows 2000 [Version 5.00.2195]

 

((((((((((((((((((((((((((((((( Files Created from 2006-08-07 to 2006-09-07 ))))))))))))))))))))))))))))))))))

 

 

2006-09-07 17:15 7,168 --a------ C:\WINNT\system32\rdriv.sys

2006-08-29 10:08 1,093,632 --------- C:\WINNT\lsass.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-09-04 13:33 -------- d-------- C:\Documents and Settings\rbsdami\Application Data\Real

2006-08-31 11:35 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0

2006-08-31 09:21 -------- d-------- C:\Documents and Settings\rbsdami\Application Data\Help

2006-08-28 10:24 -------- d-------- C:\Program Files\Windows SyncroAd

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"

"VRCNotify"="C:\\Program Files\\RACOM\\RACOM Internet Client\\VRCNotify.exe"

@=""

"WpsRePsw"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\WpsRePsw.EXE"

"StatusClient 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"

"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"

"SmcService"="C:\\PROGRA~1\\Sygate\\SSA\\smc.exe -startgui"

"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""

"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Internat.exe"="internat.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000001

"legalnoticecaption"="Important Legal Notice (v.1.0)"

"legalnoticetext"="These computer resources,specifically Internet access and E-mail,are provided for authorized users only. For legal,security and cost reasons,utilization and access of resources are monitored and recorded in log files. All information (whether business or personal) that is created,received,downloaded,stored,sent or otherwise processed can be accessed,reviewed,copied,recorded or deleted by Ericsson,in accordance with approved internal procedures,at any time if deemed necessary or appropriate,and without advance notice. Any evidence of unauthorized access or misuse of Ericsson resources may result in disciplinary actions,including termination of employment or assignment,and could subject a user to criminal prosecution. Your use of Ericsson's computer resources constitutes your consent to Ericsson's Policies and Directives,including the provisions stated above. IF YOU ARE NOT AN AUTHORIZED USER,PLEASE EXIT IMMEDIATELY"

"shutdownwithoutlogon"=dword:00000001

"RunLogonScriptSync"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

"ForceStartMenuLogOff"=dword:00000001

"NoWindowsUpdate"=dword:00000001

"NoWelcomeScreen"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000003

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00002002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

"^SetupICWDesktop"=""

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

"Windows Kernel System Service"="wkssvr.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{6129C408-54BF-4A2B-AA6C-9CC5E737261F}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

 

 

Completion time: Thu 2006-09-07 17:23:44.46

ComboFix.txt

ComboFix2.txt

ComboFix3.txt

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:24:46, on 07/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\lsass.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to delete:

C:\WINNT\system32\rdriv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Share this post


Link to post
Share on other sites

Here are the content of c:\avenger.txt and HJT log.

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\cbedwcax

 

*******************

 

Script file located at: \??\C:\gmnowfkj.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

File C:\WINNT\system32\rdriv.sys deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:59:26, on 09/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Here it is.

 

rbsdami - Sat 09/09/2006 13:33:00.04

ComboFix 06.09.04BT - Running from: C:\Documents and Settings\rbsdami\Desktop

 

Microsoft Windows 2000 [Version 5.00.2195]

 

((((((((((((((((((((((((((((((( Files Created from 2006-08-09 to 2006-09-09 ))))))))))))))))))))))))))))))))))

 

 

2006-09-09 12:52 7,168 --a------ C:\WINNT\system32\rdriv.sys

2006-08-29 10:08 1,093,632 --------- C:\WINNT\lsass.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-09-04 13:33 -------- d-------- C:\Documents and Settings\rbsdami\Application Data\Real

2006-08-31 11:35 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0

2006-08-31 09:21 -------- d-------- C:\Documents and Settings\rbsdami\Application Data\Help

2006-08-28 10:24 -------- d-------- C:\Program Files\Windows SyncroAd

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"

"VRCNotify"="C:\\Program Files\\RACOM\\RACOM Internet Client\\VRCNotify.exe"

@=""

"WpsRePsw"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\WpsRePsw.EXE"

"StatusClient 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"

"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"

"SmcService"="C:\\PROGRA~1\\Sygate\\SSA\\smc.exe -startgui"

"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""

"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Internat.exe"="internat.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000001

"legalnoticecaption"="Important Legal Notice (v.1.0)"

"legalnoticetext"="These computer resources,specifically Internet access and E-mail,are provided for authorized users only. For legal,security and cost reasons,utilization and access of resources are monitored and recorded in log files. All information (whether business or personal) that is created,received,downloaded,stored,sent or otherwise processed can be accessed,reviewed,copied,recorded or deleted by Ericsson,in accordance with approved internal procedures,at any time if deemed necessary or appropriate,and without advance notice. Any evidence of unauthorized access or misuse of Ericsson resources may result in disciplinary actions,including termination of employment or assignment,and could subject a user to criminal prosecution. Your use of Ericsson's computer resources constitutes your consent to Ericsson's Policies and Directives,including the provisions stated above. IF YOU ARE NOT AN AUTHORIZED USER,PLEASE EXIT IMMEDIATELY"

"shutdownwithoutlogon"=dword:00000001

"RunLogonScriptSync"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

"ForceStartMenuLogOff"=dword:00000001

"NoWindowsUpdate"=dword:00000001

"NoWelcomeScreen"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000003

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00002002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

"^SetupICWDesktop"=""

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

"Windows Kernel System Service"="wkssvr.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000095

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{6129C408-54BF-4A2B-AA6C-9CC5E737261F}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

 

 

Completion time: Sat 2006-09-09 13:36:06.28

ComboFix.txt

ComboFix2.txt

ComboFix3.txt

Share this post


Link to post
Share on other sites

Download and Save blacklight to your desktop.

F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml

Double-click blbeta.exe then accept the agreement.

click > scan then > next,

You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there...

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Post the contents of the log in your next reply.

Share this post


Link to post
Share on other sites

Here is the fsbl.log.

 

 

 

09/11/06 08:09:29 [info]: BlackLight Engine 1.0.46 initialized

09/11/06 08:09:29 [info]: OS: 5.0 build 2195 (Service Pack 4)

09/11/06 08:09:29 [Note]: 7019 4

09/11/06 08:09:29 [Note]: 7005 0

09/11/06 08:09:44 [Note]: 7006 0

09/11/06 08:09:44 [Note]: 7011 2444

09/11/06 08:09:44 [Note]: 7026 0

09/11/06 08:09:44 [Note]: 7026 0

09/11/06 08:09:44 [Note]: 7024 3

09/11/06 08:09:44 [info]: Hidden process: C:\WINNT\lsass.exe

09/11/06 08:09:44 [Note]: FSRAW library version 1.7.1019

09/11/06 08:15:06 [Note]: 7002 0

09/11/06 08:15:06 [Note]: 7003 1

Share this post


Link to post
Share on other sites

Please run Blacklight again. After the scan is complete, click Next.

 

Highlight this file and choose rename. Reboot when done.

 

C:\WINNT\lsass.exe

 

After reboot in your c:\WINNT folder you should see those files with a ren extention:

 

C:\WINNT\lsass.exe.ren

 

Now, delete C:\WINNT\lsass.exe.ren

 

* After that, post a new hijackthis log here with a new report from blacklight.

Share this post


Link to post
Share on other sites

I was not able to find C:\WINNT\Isass.exe.ren

 

Anyway, here is what you have asked for.

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:20:17, on 11/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

 

 

 

09/11/06 16:55:22 [info]: BlackLight Engine 1.0.46 initialized

09/11/06 16:55:22 [info]: OS: 5.0 build 2195 (Service Pack 4)

09/11/06 16:55:28 [Note]: 7019 4

09/11/06 16:55:28 [Note]: 7005 0

09/11/06 16:55:36 [Note]: 7006 0

09/11/06 16:55:37 [Note]: 7011 1716

09/11/06 16:55:37 [Note]: 7026 0

09/11/06 16:55:37 [Note]: 7026 0

09/11/06 16:55:37 [Note]: 7024 3

09/11/06 16:55:37 [info]: Hidden process: C:\WINNT\lsass.exe

09/11/06 16:55:37 [Note]: FSRAW library version 1.7.1019

09/11/06 17:01:38 [Note]: 7002 0

09/11/06 17:01:38 [Note]: 7003 1

09/11/06 17:02:26 [Note]: 7007 0

Share this post


Link to post
Share on other sites

I did the Blacklight scan once again this morning. It did not find any file to rename. Here are new HJT log and Blacklight report. I still can not find the C:\WINNT\lsass.exe.ren.

 

09/12/06 10:30:33 [info]: BlackLight Engine 1.0.46 initialized

09/12/06 10:30:33 [info]: OS: 5.0 build 2195 (Service Pack 4)

09/12/06 10:30:33 [Note]: 7019 4

09/12/06 10:30:33 [Note]: 7005 0

09/12/06 10:30:35 [Note]: 7006 0

09/12/06 10:30:35 [Note]: 7011 1484

09/12/06 10:30:35 [Note]: 7026 0

09/12/06 10:30:36 [Note]: 7026 0

09/12/06 10:30:50 [Note]: FSRAW library version 1.7.1019

09/12/06 10:34:17 [Note]: 7007 0

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:41:18, on 12/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\msiexec.exe

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Please download the Killbox by Option^Explicit.

 

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

     

    C:\WINNT\lsass.exe.ren

     

     

     

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

     

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

 

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

 

* After that, go to start==>run==>type: sc stop WinFWd

And click OK

Finally, go again to run and type now:

sc delete WinFWd

And click OK

 

* Now post a new hijackthis log here.

Share this post


Link to post
Share on other sites

After I did:

 

start==>run==>sc stop WinFWd

 

I received the following:

 

"Cannot find the file 'sc' (or one of its components). Make sure the path and filename are correct and that all required libraries are available"

 

Here is the HJL:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:59:22, on 25/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WinFWd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WinFWd]

 

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 10:38:59, on 27/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000001
"AutoShareServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=dword:00000001
"AutoShareServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002

 

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

 

 

* Download SDFix and save it to your Desktop.

 

Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Share this post


Link to post
Share on other sites

SDFix: Version 1.26

-------------------

 

Scan run on:

sri 27.09.2006

 

Time:

15:15

 

 

Microsoft Windows 2000 [Version 5.00.2195]

 

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

 

Stage One...

 

Checking Services...

 

Name:

-----

 

lsass

net32b

rdriv

SVKP

Windows Socket System Service

 

Path:

----

 

"C:\WINNT\lsass.exe"

C:\WINNT\system32\net32b.exe

\??\C:\WINNT\system32\rdriv.sys

\??\C:\WINNT\system32\SVKP.sys

"C:\WINNT\system32\dllcache\wksrvs.exe"

 

 

lsass ... deleted

net32b ... deleted

rdriv ... deleted

SVKP ... deleted

Windows Socket System Service ... deleted

 

 

Repairing Registry...

 

Restoring Default Hosts File...

 

Stage One Complete

 

Rebooting!

 

Stage Two...

 

Registry Cleaning Finished...

 

Checking For Malware Files:

--------------------------

 

C:\WINNT\system32\i

C:\WINNT\system32\net32b.exe

C:\WINNT\system32\rdriv.sys

C:\WINNT\system32\SVKP.SYS

 

Backing Up and Removing any Files Found...

 

Final Check:

 

Remaining Services:

------------------

 

Remaining Files:

--------------

 

 

 

*Any removed Files are saved in the SDFix\backups Folder*

 

*FINISHED*

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:32:16, on 27/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\VRCCfgService.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\Program Files\ESOE\ELogSrv.exe

C:\Program Files\ESOE\ESrv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ESOE\EDMS\ECIS.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SYSTEM32\DWRCST.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\system32\hkcmd.exe

C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\WINNT\system32\msiexec.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\ftp.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\ESOE\ECC.exe

C:\Program Files\ESOE\EDMS\ECP.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WINZIP\winzip32.exe

C:\Documents and Settings\rbsdami\Local Settings\Temp\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe

O4 - HKLM\..\Run: [WpsRePsw] C:\WINNT\system32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE

O4 - HKLM\..\Run: [statusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe

O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe

O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe

O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe

O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe

O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab

O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javac...JavaConnect.cab

O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBro...dCastClient.cab

O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDir...ctoryApplet.cab

O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmee...gRoomClient.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javac...rlConLoader.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javac...oAwayLoader.cab

O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMee...STJNILoader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eemea.ericsson.se

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE

O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe

O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe

O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe

O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

O23 - Service: Windows Firewall (WinFWd) - Unknown owner - C:\WINNT\dllhost.exe (file missing)

Share this post


Link to post
Share on other sites
Sign in to follow this