PDA

View Full Version : Can't Remove Look2Me



bithead
2006-03-31, 01:56
I've run AdAware, Spybot, Look2Me Destroyer, and ewido (in safe mode) -- none of them are 100% successful. I'll post my hijackthis log in this message and my ewido in a reply to it. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 2:51:18 PM, on 3/30/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\cmd.exe
F:\WINNT\system32\net.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\rundll32.exe
F:\WINNT\system32\cmd.exe
D:\Ad-Spy-Ware killers\HijackThis.exe
F:\WINNT\System32\brsags.exe
F:\WINNT\System32\brsags.exe
F:\WINNT\System32\brsags.exe
F:\WINNT\System32\brsags.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\system32\userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] F:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [biwrfq] F:\WINNT\System32\brsags.exe reg_run
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [wfesh] F:\WINNT\System32\brsags.exe reg_run
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [CU2] F:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O4 - Global Startup: tyebm.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: Setup - F:\WINNT\system32\en04l1dq1.dll
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

bithead
2006-03-31, 03:23
Immediately after posting the hijackthis log in the previous message, I rebooted to Safe Mode and ran the ewido scanner. Here is its report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:13:54 PM, 3/30/2006
+ Report-Checksum: D79156C3

+ Scan result:

[420] F:\WINNT\system32\skrobj.dll -> Adware.Look2Me : Error during cleaning
[464] F:\WINNT\System32\hysawbh.dll -> Downloader.Qoologic.bj : Error during cleaning
[696] F:\WINNT\System32\hysawbh.dll -> Downloader.Qoologic.bj : Error during cleaning
:mozilla.10:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.17:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.19:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.21:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.25:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.28:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.31:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.32:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.33:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.34:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.36:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.37:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.38:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.40:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.41:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.42:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.43:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.44:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.45:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.46:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.47:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.48:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.49:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.50:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.52:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
F:\Documents and Settings\bithead.001\Cookies\bithead@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
F:\WINNT\icont.exe -> Adware.AdURL : Cleaned with backup
F:\WINNT\iconu.exe -> Adware.Zestyfind : Cleaned with backup
F:\WINNT\system32\hohdr.dat -> Downloader.Qoologic.bj : Cleaned with backup
F:\WINNT\system32\__delete_on_reboot__hysawbh.dll -> Downloader.Qoologic.bj : Cleaned with backup
F:\WINNT\system32\__delete_on_reboot__skrobj.dll -> Adware.Look2Me : Cleaned with backup
F:\WINNT\Temp\bw2.com -> Adware.Zestyfind : Cleaned with backup


::Report End

Rawe
2006-03-31, 21:05
Hello and welcome aboard.. Lets get started then, shall we? :)

You have few infections there, please stick to it and we'll get them.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Look2Me-Destroyer (http://www.atribune.org/ccount/click.php?id=7) to your desktop.

Before continuing with the fix there is something you must do:

Click Start -> Run and type in: services.msc
Check that the following services are running and that their startup is set to automatic:
Seclogon, or Secondary logon service
Next your machine needs to be offline, manually disconnect the network cable if necessary.
Your antivirus, and every other security software MUST be disabled.

Now continue:

Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Re-launch your Anti-virus/Firewall protection.
Re-connect back to the internet.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :bigthumb:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

bithead
2006-03-31, 23:05
Hoo boy! This is a tad embarassing... First, I found that there is no Seclogon or Secondary logon service listed. In looking further into it, I found that this PC is running W2K Pro SP2! I'm not sure if SP2 is the reason for the missing service, but it does beg the question... should I try to install SP4 and subsequent updates before we proceed, or should we try to clean up the malware, then install the updates?

Browsing on this machine cannot be trusted... trying to go to AV web sites usually gets me redirected to someplace else. I tried running Trend's Housecall, only to have it close down shortly after starting to scan. I installed a fresh copy of Firefox the other day and it was hijacked on first launch. I haven't tried going to the Windows Update site yet.

What should be the next step?

Rawe
2006-03-31, 23:13
Hmm. That was my fault.

The service you should be looking for is named Runas

Sorry.

bithead
2006-03-31, 23:33
No problem. I didn't see your message until after I got into work, so I was doing what I could remotely. Since the machine in question is at home, I won't be able to proceed until this evening, so I'll post back as soon as I can. Thanks for your help!

bithead
2006-04-01, 03:28
Here are the new log files. Looks like Look2Me Destroyer was successful this time! Thanks! :)

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 3/31/2006 4:06:09 PM

Infected! F:\WINNT\system32\kt0ml7d11.dll
Infected! F:\WINNT\system32\jtns0757e.dll
Infected! F:\WINNT\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: F:\WINNT\system32\jtns0757e.dll
F:\WINNT\system32\jtns0757e.dll Deleted successfully!

Attempting to delete: F:\WINNT\System32\guard.tmp
F:\WINNT\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C0AF100B-784C-4C7F-8944-F3DB301AABAC}"
HKCR\Clsid\{C0AF100B-784C-4C7F-8944-F3DB301AABAC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4132D6FD-732E-4AE4-9222-B061BF76CF17}"
HKCR\Clsid\{4132D6FD-732E-4AE4-9222-B061BF76CF17}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6CEF4FBD-5C9A-4ABF-900E-46A7EEAA4E03}"
HKCR\Clsid\{6CEF4FBD-5C9A-4ABF-900E-46A7EEAA4E03}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{726AA7D5-DE8A-4829-89F4-D791A814A0BB}"
HKCR\Clsid\{726AA7D5-DE8A-4829-89F4-D791A814A0BB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2151DBC1-22AD-4710-BE69-67264E0B292D}"
HKCR\Clsid\{2151DBC1-22AD-4710-BE69-67264E0B292D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{89E91042-CCE5-4E3F-8D6D-934EF4AF8D2E}"
HKCR\Clsid\{89E91042-CCE5-4E3F-8D6D-934EF4AF8D2E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

=====

Logfile of HijackThis v1.99.1
Scan saved at 4:16:20 PM, on 3/31/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\csrss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\system32\userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

Rawe
2006-04-01, 08:50
Hi again; lets continue. :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Killqoo.reg to your desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,dvqiqyw.exe"

Now double-click on the Killqoo.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

==

Uninstall the following entries through Control Panel -> Add/Remove programs if present:

ScreenTaker
rmda

==

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract Avenger.exe to your desktop.

2. Copy all the text in bold contained in the quotebox below to a blank notepad file:


Files to delete:
F:\WINNT\System32\rbjef.exe
F:\WINNT\System32\shellbn.exe
F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp

Folders to delete:
F:\Program Files\ScreenTaker\
F:\Program Files\rmda\haci.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to the notepad file into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it briefly opens a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :bigthumb:

bithead
2006-04-01, 20:25
Hi,

I have a question about the killqoo.reg file that you provided...

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,dvqiqyw.exe"

In the last line, should dvqiqyw.exe be included? It is currently in the registry of the infected machine, but it is not present on 2 other non-infected Win2000 machines that I've looked at.

I will proceed using your instructions, including the above, but want to be sure that it really should be included. Thanks for your help!

Rawe
2006-04-01, 20:44
Yes, it should be included. It will help us remove it.

bithead
2006-04-01, 23:33
OK, thanks. In the meantime...

1) Immediately after importing the killqoo.reg file, the settings are changed back to their pior values. Something is keeping a close watch on things, it seems.

2) After running Avenger and rebooting the first time, after logging in, Explorer never runs -- I get to a blue "desktop" screen, but no icons, start menu or task bar appear. The same occurs in Safe Mode, except the screen is black rather than blue. I finally figured out that I could...

* Press Ctrl-Alt-Del to get Task Manager running
* Choose File --> New Task (Run...), to run Explorer.exe

After the above, Avenger processed its script. And now I have rebooted again, but Explorer still isn't running after login -- I have to manually run Task Manager and start Explorer to get a desktop -- any ideas on fixing this?

Oh, and the following simply will NOT go away:

HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\shell = Explorer.exe, F:\WINNT\System32\rbjef.exe

Even if I manually edit the entry to remove all but Explorer.exe, if I immediately refresh it, the rbjef.exe is back. Is this why Explorer will not run after login?

Here is the Avenger log and the latest HJT log...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ntfiuofn

*******************

Script file located at: \??\F:\WINNT\dipcnqji.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

File F:\WINNT\System32\rbjef.exe deleted successfully.


File F:\WINNT\System32\shellbn.exe not found!
Deletion of file F:\WINNT\System32\shellbn.exe failed!

Could not process line:
F:\WINNT\System32\shellbn.exe
Status: 0xc0000034

Folder F:\Program Files\ScreenTaker deleted successfully.


Folder F:\Program Files\rmda\haci.exe not found!
Deletion of folder F:\Program Files\rmda\haci.exe failed!

Could not process line:
F:\Program Files\rmda\haci.exe
Status: 0xc0000034

Deletion of file F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp failed!
Status: 0xc000014f

Completed script processing.

*******************

Finished! Terminate.

[I have verified that the files it was unable to delete are in fact not present.]

=====

Logfile of HijackThis v1.99.1
Scan saved at 12:29:38 PM, on 4/1/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\System32\taskmgr.exe
F:\WINNT\explorer.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\NOTEPAD.EXE
F:\WINNT\system32\cmd.exe
F:\WINNT\regedit.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

Once again, thanks for your help!

Rawe
2006-04-01, 23:40
Please download FindQool by LonnyRJones (http://downloads.subratam.org/Lon/FindQool.zip):

Extract the files and place the FindQool folder in root. Usually C:\
Open the folder and run Qlocate.bat.
Post the contents of the txt.log which will open.

bithead
2006-04-02, 00:42
Sat 04/01/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir /a:-d
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"biwrfq"="F:\\WINNT\\System32\\brsags.exe reg_run"
HKCU
"wfesh"="F:\\WINNT\\System32\\brsags.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, F:\WINNT\System32\rbjef.exe
userinit REG_SZ C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006

Rawe
2006-04-02, 01:24
Lets try the following Regedit. :)

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixqoo.reg to your desktop.


REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}]

[-HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@=-

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\{BDA77241-42F6-11d0-85E2-00AA001FE28C}]

Now double-click on the Fixqoo.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Post back with a fresh HijackThis log.

bithead
2006-04-02, 01:52
OK, here ya go...

Logfile of HijackThis v1.99.1
Scan saved at 2:50:17 PM, on 4/1/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\System32\taskmgr.exe
F:\WINNT\explorer.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\NOTEPAD.EXE
F:\WINNT\regedit.exe
F:\WINNT\system32\NOTEPAD.EXE
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

bithead
2006-04-02, 03:53
And FWIW, I still have to run Explorer manually after logging in. :(

Rawe
2006-04-02, 12:09
Ok.. Lets continue.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.

Do NOT run it yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Once in Safe Mode, please run a scan with HijackThis and check the following objects for removal if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Navigate to, and delete the following files/folders if present:

F:\WINNT\System32\rbjef.exe
F:\WINNT\System32\shellbn.exe
F:\Program Files\rmda\

==

Please run ATF-Cleaner:
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

==

Reboot normally and post back with a fresh HijackThis log, please. ;)

bithead
2006-04-02, 20:06
Here is the new HJT log. As you'll see, much of the stuff I removed is still present. I think this is due to logging in with different profiles. The infected profile is a domain account, and is the one I use when booting normally. When booting to Safe Mode, I can't access the domain account since there is no network support. Consequently, all of the HKCU listings are not present when running HJT in Safe Mode.

Should I repeat your last instructions, but using Safe Mode with Networking Support so I can login as my domain user to clean things up for that account?

Logfile of HijackThis v1.99.1
Scan saved at 9:59:45 AM, on 4/2/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\csrss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

bithead
2006-04-02, 20:15
Oh yeah... Explorer launches OK now after login! :) Also, I figured out why it was not launching. I copied and pasted this line as it was provided and imported it into the registry:

"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,dvqiqyw.exe"

But on my system, I should have changed "C:\\WINDOWS\System32" to "F:\WINNT\System32". Live and learn... :p

Rawe
2006-04-02, 20:16
Hmm.. Rather clean on the normal mode with this account and see if anything is fixed.

bithead
2006-04-02, 20:46
Looks like about 80% success...

Logfile of HijackThis v1.99.1
Scan saved at 10:41:37 AM, on 4/2/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\csrss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

bithead
2006-04-02, 23:43
I tried it using Safe Mode with Networking (sorry to be impatient, but I have all day to work on this today, and once I'm back to work tomorrow, it becomes more difficult). The resulting new log is identical to the last one I posted, except for the time stamp -- it's just the "F2" entries that refuse to go away. What's next? :scratch:

Rawe
2006-04-03, 15:36
I just realized you have another serious infection there.

==

Please download Haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe):
Save it to your desktop.
Double-click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread. :bigthumb:

bithead
2006-04-03, 16:46
Here is the haxlog.txt file:

HAXFIX logfile - by Marckie
--------------
Mon 04/03/2006 6:41:58.48

checking for ps.a3d....
ps.a3d is present!

checking for matching notify keys....
matching notify keys found
winm

checking for matching services....
matching services found
winm32
winm64

checking for matching safeboot services....
matching safeboot services found
winm32.sys
winm64.sys

Rawe
2006-04-03, 19:12
Option 3 Manual fix:
Open the following folder: C:\Program Files\Haxfix\
Double-click on Fix.bat.
Close all other open windows since this step requires a reboot.
Select option 3. Run manu fix by typing 3 and then pressing Enter.

This message will appear:

echo Insert the haxdoorkey,
and then press Enter:
Type the following: winm
When this is a valid choice, the key will be added to delete.
There is the possibility to add a new key: Yes (type Y) or No (type N).
Followed by this message:

Haxdoorkey winm added to delete.

Do you want to add a new haxdoorkey?

Press Y for YES or N for NO and then press Enter:

Type N for No and press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of the logfile together with a new HijackThis log. :bigthumb:

bithead
2006-04-03, 19:35
Here ya go... I hope this is good! :)

HAXFIX logfile - by Marckie
--------------
Mon 04/03/2006 9:23:16.37

Manual Haxdoorfix

Adding haxdoorkeys to delete...
winm


haxdoor key: winm
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS


rebooting the computer.....


haxdoor key: winm
searching for services....
services not found

checking if files are found.....
winm32.dll exist
winm32.sys exist
winm64.sys exist
winm16.dll not found
winm16.sys not found
winm24.sys not found
winmxt.dll not found
winmxt.sys not found
winmxm.sys not found

deleting files.....

checking if files are deleted.....


checking for other files.....
qy.sys exist
qz.dll exist
qz.sys exist
klogini.dll exist
p3.ini exist
ps.a3d exist
klgcptini.dat not found
qm.dll not found
qm.sys not found
qy.dll not found
zq.dll not found
zq.sys not found
stt82.ini not found
klo5.sys not found
fux87.ini not found
set87.ini not found

deleting other files.....

checking if the files are deleted.....


Finished

======

Logfile of HijackThis v1.99.1
Scan saved at 9:33:27 AM, on 4/3/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\WINNT\SYSTEM32\cmd.exe
F:\WINNT\system32\net.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

Rawe
2006-04-03, 19:54
Better ;)

Hmm. We still have the dang F2 entries to get rid of. I modified the regfix a bit.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fix.reg to your desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="F:\\WINNT\\System32\\userinit.exe,dvqiqyw.exe"

Now double-click on the Fix.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Reboot.

==

After reboot, run a scan with HijackThis and check the following objects for removal:

F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

Close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Post back a new log and let me know if you have any issues with the PC. :)

bithead
2006-04-04, 06:21
This was interesting...

1) I imported your fix.reg file -- the entire contents of the WinLogon key were removed -- I hope this was what was intended!
2) Both the shell= and userinit= came back within a few seconds of the import
3) I ran HJT and told it to fix the F2 entires (the 020 entry was not present)
4) I rebooted
5) I ran HJT and the F2 entries were still present
6) I reimported your fix.reg -- this time neither of the F2 entries came back into the registry
7) I rebooted -- the Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe was back in the registry, but the userinit= line was not
8) I ran HJT -- both F2 entries were present, but the userinit line was just Userinit=
9) I told HJT to fix both F2 entries -- after this, looking at the registry, both bad entries were back!
10) I repeated steps 4) thru 7) -- the current HJT log is below. Hope to hear from you soon! :)

Logfile of HijackThis v1.99.1
Scan saved at 8:05:14 PM, on 4/3/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\cmd.exe
F:\WINNT\regedit.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

bithead
2006-04-04, 06:40
Whoops, there should be a step 11)... I ran HJT and told it to fix ONLY the F2 entry for shell= line. The log I posted was generated after doing that.

Rawe
2006-04-04, 08:49
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :)

bithead
2006-04-05, 01:25
Whew! Only a few hundred thousand files to scan.... here's the Activescan report:

Incident Status Location

Adware:Adware/Qoologic Not disinfected F:\WINNT\System32\hysawbh.dll
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@c5.zedo[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@maxserving[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@realmedia[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@trafficmp[1].txt
Spyware:Cookie/Adserver Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@zedo[2].txt
Adware:Adware/PurityScan Not disinfected C:\Veracruz.exe
Virus:Trj/NetCat.A Not disinfected 2001\Inbox\Utils\Netcat For windows\ncnt090.zip[netcat.exe]
Virus:EICAR-AV-TEST-FILE Not disinfected 2002\Sent Items\RE: Odd request, but what's new... :)\EICAR.COM
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools\psexec.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools\pskill.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools.zip[pskill.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools.zip[psexec.exe]
Virus:Trj/Qoologic.J Not disinfected F:\avenger\backup.zip[rbjef.exe]
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@c5.zedo[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@maxserving[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@realmedia[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@trafficmp[1].txt
Spyware:Cookie/Adserver Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@zedo[2].txt
Potentially unwanted tool:Application/Psshutdown.A Not disinfected F:\WINNT\psshutdown.exe
Adware:Adware/Qoologic Not disinfected F:\WINNT\system32\hohdr.dat

bithead
2006-04-05, 19:39
Well, this just keeps getting more interesting! From the ActiveScan log it appears that QooLogic is still the culprit to be eliminated. So, I took a look at QLOCATE.BAT as provided with the FindQool tool, and then at LOCATE.COM. It turns out that LOCATE.COM is able to see files on my PC that nothing else can! For example, here I manually execute a line from the batch file:


F:\FindQool>LOCATE %WinDir%\System32\???????.exe /D- /D:T-5M /S:23552! /NR /N
F:\WINNT\SYSTEM32\DVQIQYW.EXE

It successfully located the file listed. Similarly, just typing a command results in another file being seen:


F:\FindQool>locate \winnt\system32\brsag*

F:\WINNT\SYSTEM32\
brsags.exe Thu Mar 30 2006 12:45:04p A.... 127,488 124.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 127,488 bytes 124.50 K

But the really strange thing is that I cannot see either of those files from Explorer or a command prompt. I have Explorer configured to show everything, and in a command prompt environment, DIR with the /ah and /as options comes up empty for the above files.

So, why can LOCATE.COM see these things, but nothing else can? And more importantly, how can I get rid of these invisible files? :scratch: (Please hurry! I haven't much hair left!)

bithead
2006-04-05, 23:52
Progress! I was able to use Killbox.exe to get rid of the "super hidden" files. FYI, these included:

F:\WINNT\SYSTEM32\brsags.exe
F:\WINNT\SYSTEM32\dvqiqyw.exe
F:\WINNT\SYSTEM32\rbjef.exe
F:\WINNT\SYSTEM32\hysawbh.dll
F:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\tyebm.exe

Then I ran HJT and told it to get rid of the pesky F2 entries -- after rebooting, they're still gone! FindQool is still reporting a couple of registry entries that I need to remove, but it doesn't tell me quite where they are so I may need some help there. Here are the FindQool and HJT logs.

Thanks for all your help! Please let me know if I appear healthy again.

Wed 04/05/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

F:\WINNT\SYSTEM32\HOHDR.DAT
Re-check using dir /a:-d
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"biwrfq"="F:\\WINNT\\System32\\brsags.exe reg_run"
HKCU
"wfesh"="F:\\WINNT\\System32\\brsags.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ F:\WINNT\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006

=====

Logfile of HijackThis v1.99.1
Scan saved at 1:32:17 PM, on 4/5/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\cmd.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [biwrfq] F:\WINNT\System32\brsags.exe reg_run
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [wfesh] F:\WINNT\System32\brsags.exe reg_run
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

bithead
2006-04-06, 00:26
:bigthumb: I did a regedit search and removed everything with 'brsags' in it, rebooted and all looks good. I hadn't noticed brsags in the HJT log before, but now it's gone... :)

Logfile of HijackThis v1.99.1
Scan saved at 2:21:48 PM, on 4/5/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\cmd.exe
F:\WINNT\system32\notepad.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

Rawe
2006-04-07, 07:38
I'm soo sorry for the delay in replies, I have lost the subscription somewhere :scratch:

Your latest log looks good. Can you please post another Panda & FindQool log to look at :)

bithead
2006-04-07, 17:20
Yay, you're back! I'm glad you found me again! :)

Here is the FindQool log. There are literally over a million files on this PC, so the Panda scan needs hours to run. I'll post back with it as soon as I can. Please don't forget about me! ;)

Fri 04/07/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir /a:-d
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ F:\WINNT\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006

bithead
2006-04-07, 17:32
I'm not out of the woods yet. During the Panda scan, my realtime virus scanner popped this message up on the screen:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: C:\ac2_0003.exe
Location: Quarantine
Computer: W2KPRO-1
User: bdoster
Action taken: Quarantine succeeded : Access denied
Date found: Friday, April 07, 2006 7:18:07 AM

Any idea where that might be coming from? Since my post of a few days ago, the machine has been running fine.

Rawe
2006-04-07, 17:44
Your FindQool log looks good.

Lets try Kaspersky instead of Panda (I just want to make sure nothing is left out of the fix..):

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/service?chapter=161739400)

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This program will start to scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

bithead
2006-04-07, 18:55
Panda is almost half finished right now. I think I'll let it complete, then run the Kapersky scan. Stay tuned... ;)

bithead
2006-04-07, 20:57
Panda's ActiveScan is below. In the meantime, another virus infected file was found during the scan:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: F:\!KillBox\dvqiqyw.exe
Location: Quarantine
Computer: W2KPRO-1
User: bdoster
Action taken: Quarantine succeeded : Access denied
Date found: Friday, April 07, 2006 9:51:34 AM

This one is a backup made by Killbox before deleting the file, and the file was part of the original Qoologic infection. Maybe it copied itself but was never activated, and that's where the first one came from? You would know better than I -- I am completely guessing at this point.

I'll do the Kapersky scan now. Here is the new Panda scan:


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@adopt.hbmediapro[2].txt
Adware:Adware/PurityScan Not disinfected C:\Veracruz.ex_
Virus:Trj/NetCat.A Not disinfected 2001\Inbox\Utils\Netcat For windows\ncnt090.zip[netcat.exe]
Virus:EICAR-AV-TEST-FILE Not disinfected 2002\Sent Items\RE: Odd request, but what's new... :)\EICAR.COM
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools\psexec.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools\pskill.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools.zip[pskill.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools.zip[psexec.exe]
Adware:Adware/Qoologic Not disinfected F:\!KillBox\brsags.exe
Adware:Adware/Qoologic Not disinfected F:\!KillBox\hohdr.dat
Adware:Adware/Qoologic Not disinfected F:\!KillBox\hysawbh.dll
Virus:Trj/Qoologic.J Not disinfected F:\!KillBox\rbjef.exe
Adware:Adware/Qoologic Not disinfected F:\!KillBox\tyebm.exe
Virus:Trj/Qoologic.J Not disinfected F:\avenger\backup.zip[rbjef.exe]
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@adopt.hbmediapro[2].txt
Potentially unwanted tool:Application/Psshutdown.A Not disinfected F:\WINNT\psshutdown.exe

I had located the Veracruz file a few days ago and renamed it. Eicar.com and netcat.exe are in old email archives (Outlook PST files), so are no immediate threat. The ps* files are part of Sysinternals (a set of utils worth looking up if you're not familiar with them!) and are all OK. Everything else other than the cookies are backups made by malware killers throughout this fun time we're having here. :p So, it looks pretty good to me, but I'll let you be the judge.

Thank you for your help!

Rawe
2006-04-07, 23:14
Nothing bad in particular there. You can go ahead and delete the !Killbox - folder, it contains KillBox backups.

It seems your PC should be clean out of anything major at this point.. Delete the cookies though ;)

I'll just check the Kaspersky scan and then I'll point out some preventive maintenance for future.

bithead
2006-04-07, 23:36
Sounds good. It will be awhile for the Kaspersky results. I accidentally closed the scan window when it was at 3%. I restarted it about an hour ago -- it is at 2% as I write. I'm guessing it will finish some time tomorrow...

bithead
2006-04-08, 18:22
FYI, after nearly 20 hours the Kaspersky scan is reporting that it's 72% complete.

Rawe
2006-04-08, 18:54
Do you see if it has found anything as of yet?

bithead
2006-04-08, 19:07
Yes it has, but I had not deleted anything between the last Panda scan and the Kaspersky scan, so it's hard to tell if there is anything new yet.

Rawe
2006-04-08, 19:17
Well, if you deleted the !KillBox folder and cookies, then there shouldn't be much left of the last Panda scan..

bithead
2006-04-08, 23:11
It's here! :) Some notes:

1) I said the PC has over a million files on it. That was based on what Panda was reporting. From the Kapersky scan, it appears that Panda was counting the files inside of files and Kapersky was not.

2) Veracru.ex_ -- known already (I suppose I should delete it though! :rolleyes:)

3) The .pst files are not a threat to this PC as I don't have Outlook installed on it. Nevertheless it's good to know about what's there.

4) We know about the Killbox and the Avenger files.

5) The only other new items are files which have been quarantined by Symantec AntiVirus.

Looks like we made it? Looking forward to your reply! :)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 08, 2006 12:59:32
Operating System: Microsoft Windows 2000 Professional, Service Pack 2 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/04/2006
Kaspersky Anti-Virus database records: 175547
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
R:\
S:\

Scan Statistics:
Total number of scanned objects: 88943
Number of viruses found: 17
Number of infected objects: 32
Number of suspicious objects: 18
Duration of the scan process: 86888 sec

Infected Object Name - Virus Name
C:\Veracruz.ex_/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\Veracruz.ex_/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\Veracruz.ex_ Infected: Trojan-Dropper.Win32.VB.kk
D:\Data\2001.pst/2001/Inbox/19 Sep 2001 01:08 from cajun@cajuninc.com:Fwd: CERT Advisory CA-.eml Infected: Net-Worm.Win32.Nimda
D:\Data\2001.pst Infected: Net-Worm.Win32.Nimda
D:\Data\2002.pst/2002/Inbox/28 Jul 2002 03:57 from postmaster:BOTTOM.html.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2002.pst/2002/Inbox/22 Jul 2002 02:58 from webmaster:A WinXP patch.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2002.pst/2002/Sent Items/16 Apr 2002 20:00 to 'Luis Chanu':RE: Odd request, but what's ne/EICAR.COM Infected: EICAR-Test-File
D:\Data\2002.pst Infected: EICAR-Test-File
D:\Data\2003.pst/2003/Inbox/Virus/28 Jan 2003 05:46 from bedeprosse:Please try again.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/28 Jan 2003 05:16 from lisardo:TempPair.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/28 Jan 2003 06:26 from cindysundberg:Scrolling.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/24 Jan 2003 21:10 from reginajrichardson:HrResponseHdr .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/27 Jan 2003 17:15 from lisardo:Questionnaire.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/27 Jan 2003 16:59 from cbrophy:MainType.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/28 Jan 2003 02:05 from Jeffsherry:Hello,welcome to my ho.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Inbox/Virus/28 Jan 2003 04:45 from cbrophy:MainType.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Sent Items/28 Jan 2003 02:37 to 'insightnet@attbi.com':FW: MainType.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst/2003/Sent Items/28 Jan 2003 02:37 to Brad Doster:FW: MainType.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\2003.pst Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\RedHat.pst/Message store/Inbox/@RedHat/20 Sep 2001 22:55 from Chuck Mead:Re: procmail vs NIMDA - workin.eml/[From <253cfa.gpr9eiv.1jig81c@ifi.uio.no>][Date Tue, 18 Sep 2001 09:57:43 -0400 (EDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\RedHat.pst/Message store/Inbox/@RedHat/20 Sep 2001 22:55 from Chuck Mead:Re: procmail vs NIMDA - workin.eml/[From <253cfa.gpr9eiv.1jig81c@ifi.uio.no>][Date Tue, 18 Sep 2001 09:57:43 -0400 (EDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\RedHat.pst/Message store/Inbox/@RedHat/20 Sep 2001 22:55 from Chuck Mead:Re: procmail vs NIMDA - workin.eml Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\RedHat.pst/Message store/Inbox/@RedHat/20 Sep 2001 22:55 from Chuck Mead:Re: procmail vs NIMDA - workin.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
D:\Data\RedHat.pst Suspicious: Exploit.HTML.Iframe.FileDownload
F:\!KillBox\brsags.exe Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\!KillBox\hohdr.dat Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\!KillBox\hysawbh.dll Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\!KillBox\rbjef.exe Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\!KillBox\tyebm.exe Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\avenger\backup.zip/avenger/rbjef.exe Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\avenger\backup.zip Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D80000.VBN Infected: Trojan-Downloader.Win32.Small.cpu
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05EC0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06D80000.VBN Infected: Trojan-Downloader.Win32.VB.nw
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06DC0000.VBN Infected: Trojan-Spy.Win32.Small.dg
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN Infected: Trojan-Downloader.Win32.Ani.c
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E40000.VBN Infected: Trojan-Clicker.Win32.Small.jf
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E40001.VBN Infected: Trojan-Downloader.Win32.Agent.agy
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E80000.VBN Infected: Trojan-Spy.Win32.Small.dg
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06EC0000.VBN Infected: Trojan-Clicker.Win32.VB.ij
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08400000.VBN Infected: Trojan-Downloader.Win32.Small.cpa
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08440000.VBN Infected: Trojan-Spy.Win32.Small.dg
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08480000.VBN Infected: Trojan-Dropper.Win32.Small.amd
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\084C0000.VBN Infected: Trojan-Proxy.Win32.Small.bo
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08640000.VBN Infected: Trojan-Downloader.Win32.Small.ckj
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08680000.VBN Infected: Trojan-Downloader.Win32.Small.ckj
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08740000.VBN/data0002 Infected: Trojan-Clicker.Win32.Small.jf
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08740000.VBN Infected: Trojan-Clicker.Win32.Small.jf

Scan process completed.

Rawe
2006-04-08, 23:27
Go ahead and delete: Avenger's backup zip; !KillBox folder; items in your Antivirus Quarantine; C:\Veracruz.ex_

What about this one? D:\Data\RedHat.pst

If you can find it.. Remove it too. Then finally empty recycle bin. We should be done. ;)

==

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Sygate (http://www.sygate.com/) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)

bithead
2006-04-09, 04:21
Well, Thank you! Thank you! Thank you! :D

The Redhat.pst is another Outlook archive, so I need to be careful with it.

The MVPS Hosts file is a cool idea -- thanks! And I grabbed Sypwareblaster as well -- I was not aware of that one.

So, did I say thanks yet? THANKS! :bigthumb:

Rawe
2006-04-09, 11:05
Since this issue is now resolved, this Topic has been archived. Should you need it reopened for any reason, please PM an Staff member with it's address and request. This only applies to the Original poster. Glad we were able to help. :)