View Full Version : MSN Virus??
Hi. my laptop seems to have become infected with a virus. This was received via MSN when i clicked on a link from a known friend saying 'your photos have been placed on facebook'.
I am running CA eTrust AntiVirus which although after an initial scan found no problems has since detected a win32\matcash worm a couple of times during realtime scanning.
Attached are my kapersky and hijack this logs. The SpyBot scan found no immediate threats. Every time i reboot the laptop spybot asks if i want to allow a reg change for Flash Media in hklm\software\microsoft\windows\currentversion\run
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 19, 2008 8:01:24 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 638211
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 64719
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:52:31
Infected Object Name / Virus Name / Last Action
C:\SYSMGT\ETRAV6\DB\rtmaster.dbf Object is locked skipped
C:\SYSMGT\ETRAV6\DB\rtmaster.ntx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{40AF1343-9B93-4851-9EB7-55CBB3CB6D44}\RP466\change.log Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINNT\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\Fujitsu Services_1205148649899.RDB Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\Internet Logs\UK090213LT.ldb Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\Perflib_Perfdata_5a8.dat Object is locked skipped
C:\WINNT\Temp\vmware-vmount.log Object is locked skipped
C:\WINNT\Temp\ZLT03b4c.TMP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\profiles\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
D:\profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\profiles\All Users\Application Data\VMware\vmnetdhcp.leases Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\Cookies\index.dat Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
D:\profiles\LocalService.NT AUTHORITY.001\NTUSER.DAT.LOG Object is locked skipped
D:\profiles\NetworkService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\profiles\NetworkService.NT AUTHORITY.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\profiles\NetworkService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
D:\profiles\NetworkService.NT AUTHORITY.001\NTUSER.DAT.LOG Object is locked skipped
D:\profiles\O'NeillR\Cookies\index.dat Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\profiles\O'NeillR\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Temp\services.exe Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Temp\~DF779.tmp Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Temp\~DF79E.tmp Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\profiles\O'NeillR\Local Settings\Temporary Internet Files\Content.IE5\7IJHE232\6736f989[1].exe Infected: Trojan-Downloader.Win32.Small.sth skipped
D:\profiles\O'NeillR\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\profiles\O'NeillR\ntuser.dat Object is locked skipped
D:\profiles\O'NeillR\NTUSER.DAT.LOG Object is locked skipped
D:\profiles\O'NeillR\zriqhj.exe Infected: Trojan-Downloader.Win32.Small.sth skipped
D:\System Volume Information\_restore{40AF1343-9B93-4851-9EB7-55CBB3CB6D44}\RP466\change.log Object is locked skipped
Scan process completed.
---------------------------
Hijack this log posted in next post....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:25:42, on 19/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\SYSMGT\ETRAV6\InoRpc.exe
C:\SYSMGT\ETRAV6\InoRT.exe
C:\SYSMGT\ETRAV6\InoTask.exe
C:\WINNT\System32\Fast.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
C:\WINNT\Explorer.EXE
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\System32\taskswitch.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\SYSMGT\ETRAV6\realmon.exe
C:\WINNT\system32\igfxtray.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\profiles\All Users\Start Menu\Programs\Startup\KVM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FUJITS~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
D:\profiles\O'NeillR\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cafevik.fs.fujitsu.com/index.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.fel01.icl.local:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fs.fujitsu.com;*.icl.fi;*.icl.se;145.227.*.*;172.19.*;192.168.*.*;*.icl.co.uk;*.fjcomp.com;172.30.*.*;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\System32\fast.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\SYSMGT\ETRAV6\realmon.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: KVM.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.fs.fujitsu.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: *.icl.co.uk (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {0BA88017-39EC-4954-B6D3-C366B8C27CE6} (PWLibraryComponent.ctlProjectWEBLibrary) - http://pjweb-uk1.solutionnet.fs.fujitsu.com/GSN0002/pjwebroot/GSNPWLIBRARY/client/PWLibraryComponent.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/gb/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127474906889
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194346262496
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINNT\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINNT\Lic98RmtD.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 12802 bytes
shelf life
2008-03-24, 13:53
hi,
sorry for delay, no shortage of posters. log dosnt look to bad some items to clean and one to get checked out.
this looks like a work place computer not a personal one.
is that the case? normally a business would have somebody in house that could help you.
since its been a few days, if you still need help; post back
Hi yes this is a workplace computer although I am expected to support the machine myself as I work remotely. Still require assistance please :)
shelf life
2008-03-25, 11:10
hi nellie
ok iam short on time right now. i will post back later.
shelf life
shelf life
2008-03-26, 00:58
hi,
ok iam back. lets do this:
navigate to D:\profiles\O'NeillR
see if you can find and delete:
zriqhj.exe
----------------------------
the intresting one is here:
D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
D;\profiles\user name\local settings\Temp
in the temp folder look for a services.exe running
if you dont see the Local Settings dir. do this to help show all files:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
if you can locate the services.exe do this:
go to this website below, browse for the .exe again and upload it to the website so it can be checked out.
http://www.virustotal.com/
you can copy/paste the results in your reply.
shelf life
Thanks shelf life.
I have located and deleted zriqhj.exe
I have also found services.exe in the temp folder under my profile but when i try and send this to virustotal.com i receive the following message.
"0 bytes size received / Se ha recibido un archivo vacio"
I also tried installing the virus total uploader and when i try and send the file using my context menu i get a pop up window saying "Error! Couldn't open file!"
shelf life
2008-03-26, 22:46
hi,
ok thanks for the info. A exe running out of a temp dir isnt usually a good sign, but since this is a workplace computer who knows? so thats why iam being careful not to jump to any conclusions.
lets see if SDfix can dig up anything.Needs to run in safe mode. Directions:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.
you could also right click on services.exe and look under the tabs for any version/company information.
if you can id the services.exe running out of the temp dir by looking in zone alarm, you could deny it a connection also
shelf life
Ok donas as requested. only problem is i cannot logon in safe mode under my own account as it is a domain account (albeit a local one). Contents of report.txt as follows
SDFix: Version 1.162
Run by 00000002 on 26/03/2008 at 22:47
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
EOF.
There is no company info/version number against services.exe
I have blocked internet access for this process in zone labs as suggested.
new HJT log as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:04:31, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\SYSMGT\ETRAV6\InoRpc.exe
C:\SYSMGT\ETRAV6\InoRT.exe
C:\SYSMGT\ETRAV6\InoTask.exe
C:\WINNT\System32\Fast.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\Explorer.EXE
D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\System32\taskswitch.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\SYSMGT\ETRAV6\realmon.exe
C:\WINNT\system32\igfxtray.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\BTTray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
D:\profiles\All Users\Start Menu\Programs\Startup\KVM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FUJITS~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\WINNT\procexp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\profiles\O'NeillR\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cafevik.fs.fujitsu.com/index.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.fel01.icl.local:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fs.fujitsu.com;*.icl.fi;*.icl.se;145.227.*.*;172.19.*;192.168.*.*;*.icl.co.uk;*.fjcomp.com;172.30.*.*;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\System32\fast.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\SYSMGT\ETRAV6\realmon.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: KVM.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.fs.fujitsu.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: *.icl.co.uk (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {0BA88017-39EC-4954-B6D3-C366B8C27CE6} (PWLibraryComponent.ctlProjectWEBLibrary) - http://pjweb-uk1.solutionnet.fs.fujitsu.com/GSN0002/pjwebroot/GSNPWLIBRARY/client/PWLibraryComponent.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/gb/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127474906889
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194346262496
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINNT\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINNT\Lic98RmtD.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 12872 bytes
one other thing i forgot to mention. earlier today i noticed a process called 17pholmes1423.exe running on the machine. not running at the moment....
shelf life
2008-03-27, 01:05
hi,
thanks for the info.
safe mode with networking option will authenticate to the server i believe and allow you to log in.
but before trying that to run SDfix, lets get a copy of superantispyware on your machine.
download, install, update and do a complete scan with it.(link below) after the scan you can post the log:
To retrieve the removal information - please do the following:
* After reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.
superantispyware:
http://www.superantispyware.com/
i noticed a process called 17pholmes1423.exe
that is malware for sure. lets see what SAS can dig up.
-------------------------------
Thanks shelf life. Contents of
SAS Scanner log as follows
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/27/2008 at 01:02 AM
Application Version : 4.0.1154
Core Rules Database Version : 3426
Trace Rules Database Version: 1418
Scan type : Complete Scan
Total Scan Time : 00:35:05
Memory items scanned : 533
Memory threats detected : 0
Registry items scanned : 5951
Registry threats detected : 0
File items scanned : 19539
File threats detected : 27
Adware.Tracking Cookie
D:\profiles\O'NeillR\Cookies\oneillr2@adopt.euroclick[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@2o7[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@adbrite[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@ads.techguy[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@rocku.adbureau[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@bs.serving-sys[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@ad.yieldmanager[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@tracking.dc-storm[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@msnportal.112.2o7[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@track.adform[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@uk.sitestat[3].txt
D:\profiles\O'NeillR\Cookies\oneillr2@adtech[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@serving-sys[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@revsci[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@uk.sitestat[4].txt
D:\profiles\O'NeillR\Cookies\oneillr2@forum.sussex-mtb[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@questionmarket[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@uk.sitestat[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@ad.uk.tangozebra[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@tribalfusion[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@server.iad.liveperson[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@ads.takethefamily[2].txt
D:\profiles\O'NeillR\Cookies\oneillr2@xiti[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@uk.sitestat[1].txt
D:\profiles\O'NeillR\Cookies\oneillr2@ads.neransk[2].txt
Trojan.Downloader-Gen/MROFIN
C:\SDFIX\BACKUPS\MROFINU1423.EXE
C:\SDFIX\BACKUPS\MROFINU1423.EXE.TMP
shelf life
2008-03-27, 23:56
hi,
SAS found mostly cookies, not much to worry about there.
before using hjt please disable spybots tea timer so it will allow changes. how:
Spybot S&D (Teatimer)
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
lets do a online scan using Eset online scanner.
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
please post the online scan log and a new hjt log.
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2980 (20080328)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=6f310895253f9e4cad2817d73a691aa1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-28 10:19:37
# local_time=2008-03-28 10:19:37 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=441090
# found=0
# scan_time=4796
------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:27, on 28/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\SYSMGT\ETRAV6\InoRpc.exe
C:\SYSMGT\ETRAV6\InoRT.exe
C:\SYSMGT\ETRAV6\InoTask.exe
C:\WINNT\System32\Fast.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\vmnetdhcp.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\System32\taskswitch.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\SYSMGT\ETRAV6\realmon.exe
C:\WINNT\system32\igfxtray.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\BTTray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
D:\profiles\All Users\Start Menu\Programs\Startup\KVM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FUJITS~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
D:\profiles\O'NeillR\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cafevik.fs.fujitsu.com/index.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.fel01.icl.local:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fs.fujitsu.com;*.icl.fi;*.icl.se;145.227.*.*;172.19.*;192.168.*.*;*.icl.co.uk;*.fjcomp.com;172.30.*.*;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\System32\fast.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\SYSMGT\ETRAV6\realmon.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: KVM.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.fs.fujitsu.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: *.icl.co.uk (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {0BA88017-39EC-4954-B6D3-C366B8C27CE6} (PWLibraryComponent.ctlProjectWEBLibrary) - http://pjweb-uk1.solutionnet.fs.fujitsu.com/GSN0002/pjwebroot/GSNPWLIBRARY/client/PWLibraryComponent.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/gb/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127474906889
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194346262496
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINNT\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINNT\Lic98RmtD.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 13046 bytes
Thanks :bigthumb:
shelf life
2008-03-29, 03:02
hi,
i see its still there. neither SAS or ESET online scanner picked it up. looks like that machine was a upgrade from windows 2000?
any luck booting into safe mode to run SDfix?
contents of results.txt after running sdfix in safe mode.
SDFix: Version 1.162
Run by ONeillR2 on 31/03/2008 at 18:24
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
------------
There was an error message whilst sdfix was running saying it could open the services.exe file
cheers.
shelf life
2008-04-01, 03:53
hi nellie
ok superantispyware and online scan look ok. looks like sdfix picked up something:
C:\SDFIX\BACKUPS\MROFINU1423.EXE
C:\SDFIX\BACKUPS\MROFINU1423.EXE.TMP
dont know if it completed the entire scan or not.
you blocked the mysterious services.exe in zone alarm
services .exe still present on computer.
i say we attempt to delete it. most likely it would have to be done in safe mode.
first use hjt:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,D:\profiles\O'NeillR\LOCALS~1\Temp\services.exe
next: boot into safe mode, navigate to the temp dir and try to delete services.exe
in safe mode also:
Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
-------------
reboot normally and post a new hjt log.
ok done all of the above (services.exe successfully deleted). new hjt scan as follows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:22:32, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\SYSMGT\ETRAV6\InoRpc.exe
C:\SYSMGT\ETRAV6\InoRT.exe
C:\SYSMGT\ETRAV6\InoTask.exe
C:\WINNT\System32\Fast.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\SYSMGT\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINNT\System32\taskswitch.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\SYSMGT\ETRAV6\realmon.exe
C:\WINNT\system32\igfxtray.exe
C:\SYSMGT\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Fujitsu Siemens\Bluetooth Software\BTTray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
D:\profiles\All Users\Start Menu\Programs\Startup\KVM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FUJITS~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\profiles\O'NeillR\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cafevik.fs.fujitsu.com/index.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.fel01.icl.local:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fs.fujitsu.com;*.icl.fi;*.icl.se;145.227.*.*;172.19.*;192.168.*.*;*.icl.co.uk;*.fjcomp.com;172.30.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\System32\fast.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\SYSMGT\ETRAV6\realmon.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Fujitsu Services VPN Client.lnk = C:\Program Files\Fujitsu Services\VPN Client\ipsecdialer.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: KVM.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Fujitsu Siemens\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cafevik.fs.fujitsu.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.fs.fujitsu.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.icl.co.uk
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.fs.fujitsu.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: *.icl.co.uk (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {0BA88017-39EC-4954-B6D3-C366B8C27CE6} (PWLibraryComponent.ctlProjectWEBLibrary) - http://pjweb-uk1.solutionnet.fs.fujitsu.com/GSN0002/pjwebroot/GSNPWLIBRARY/client/PWLibraryComponent.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/gb/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127474906889
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194346262496
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\Software\..\Telephony: DomainName = europe.fs.fujitsu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.fs.fujitsu.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Fujitsu Siemens\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINNT\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINNT\Lic98RmtD.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Fujitsu Services\VPN Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\SYSMGT\ETRAV6\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 12944 bytes
shelf life
2008-04-02, 01:02
hi nellie
ok good you got rid of it.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
-----------------
you can delete the SDFix folder
hjt log looks ok. SAS and online scan are ok also. if all is good then: happy safe surfing.
many thanks for your help shelf life :2thumb:
in future i will be much more vigilant opening msn's
cheers :bigthumb:
shelf life
2008-04-03, 00:35
Hi,
your welcome.
a tip for you from my website:
Instant Messaging Software: (configure, good judgment)
More social engineering tricks. Don't click on links, files or accept downloads unless you are sure of the sender. Keep them updated to patch possible exploits.
happy safe surfing.