PDA

View Full Version : Seek help to remove pop-ups



PJFong
2006-04-23, 15:27
Dear professionals:

My PC has Trend Micro Office Scan installed but my PC was
still infected when I surfed the net. Thanks for Spybot S&D
most of spys are now removed, but there are still some problem:

1) I keep on having serveral pop up windows to install "Zango"
freeware and some ads.

2) Occasionally, my PC re-boots itself at start up or during
meantime of an application program.

3) Occasionally, the Trend Micro Office prompts to find trojan
or other virus. But it just found but couldn't kill.

Here is the logfile of HijackThis. Thanks for your kind help.


Logfile of HijackThis v1.99.1
Scan saved at 下午 05:04:34, on 2006/4/21
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\TEMP\BLB78A.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINPENJR\win32\pphidpad.exe
C:\WINNT\ghost.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\JF\Program\Hijack this\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: load=C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: run=C:\WINNT\system32\sxlntr.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.139.66 socks.temphost.ws
O1 - Hosts: 85.249.139.66 j002_fljkdr.fgkfps.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Sys_Run] C:\WINNT\ghost.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKLM\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Rescue Autorun] C:\WINNT\winlogon.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\RunOnce: [Windows Rescue Autorun] C:\WINNT\winlogon.exe
O4 - HKLM\..\RunOnce: [Windows Rescue Autorun] C:\WINNT\winlogon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe /STARTUP
O4 - HKCU\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKCU\..\Run: [Repair Service Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKCU\..\Run: [Windows Rescue Autorun] C:\WINNT\winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra 'Tools' menuitem: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: OfficeScanNT 即時掃瞄 (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT 防火牆 (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

illukka
2006-04-23, 23:10
hi
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:

reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.


then launch ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti malware.

reboot back to normal mode, post the ewido report and a log from a fresh hjt scan

PJFong
2006-04-24, 11:37
Hi,

Thanks for your kind advice. I downloaded Ewido and chose "English" during installation, but I don't know why it turned up to display in Chinese language. Anyway, I think I got the complete scan correctly in Safe Mode and Ewido prompted 57 viruses were detected and cleaned. May I guess this is a good sign? But when I click "Save Report", it displayed an Error message and couldn't save the content successfully. So, I can only paste the new Hijack this log.

Today, so far I haven't got any pop-ups but at system start up, a message prompts : "Cannot find 'sxlntr.exe' (or its components). Pls check if the path and filename is correct..." something like that. I encounter this message the first time but it seems that my PC isn't affected and it runs rather smooth on the whole today.

Here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 下午 03:38:16, on 2006/4/24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TEMP\QD8E4E.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\system32\wuauclt.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
D:\JF\Program\Hijack this\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: load=C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: run=C:\WINNT\system32\sxlntr.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.139.66 socks.temphost.ws
O1 - Hosts: 85.249.139.66 j002_fljkdr.fgkfps.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe /STARTUP
O4 - HKCU\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKCU\..\Run: [Repair Service Manager] C:\WINNT\system32\mpcsvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra 'Tools' menuitem: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: OfficeScanNT 即時掃瞄 (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT 防火牆 (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

illukka
2006-04-24, 19:58
hi

ok: this logfile seems to be full of rootkits, backdoors and trojans!!!
viruses of the worst kind, to be exact.


this is something i dont like to recommend normally, but with a computer this badly infected it would be the best solution for your safety to format the drive and do a fresh install of the operation system.. consider this especially if there is important or confidential information stored on your hard disk





IMPORTANT- You need to disconnect this PC from the internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.

you need to take steps to protect your information that may have been compromised. I recommend these steps for action:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)





some more links to read:


When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx (http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx)

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx (http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx)

let me know what is your choice, to format, or to attempt a cleaning

PJFong
2006-04-25, 10:53
Hi,

Thanks for your advice again. Well, as the level of confidentiality of the data is not very high and I've regular back-ups and the PC and network seem to run smooth, I think I prefer clean-up at this stage.

If later system shows really bad symptons, I will not hesitate to ask my colleagues to help me reformat and reinstall the PC.

illukka
2006-04-25, 22:42
hi

lets do an online virus scan next:

go to Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm)


Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

PJFong
2006-04-27, 10:02
Hi,

The attached file is the Panda Active Scan report.


Incident Status Location

Virus:Backdoor Program Disinfected C:\WINNT\system32\psinthk.dll
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\DSE\Cookies\dse@66.246.209[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DSE\Cookies\dse@perf.overture[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\DSE\Cookies\dse@2o7[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\DSE\Cookies\dse@centrport[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\DSE\Cookies\dse@ads.pointroll[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\DSE\Cookies\dse@stat.onestat[2].txt
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\716171.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\357281.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\8796937.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\21096937.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\33696953.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\45996937.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\3694953.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\372437.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\3962593.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\6963343.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\10563062.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\6661406.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\10861046.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\364906.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\3425218.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\367578.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\12959687.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\704937.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\367609.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\12654656.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\686031.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\14460468.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\397968.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\12683718.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\708843.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\25283781.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\387890.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\5208468.exe
Virus:Trj/Clicker.OE Disinfected C:\Documents and Settings\DSE\Local Settings\Temp\17808546.exe

PJFong
2006-04-27, 10:05
Hi,

Here comes the new HijackThis log. Thanks for your assistence.

Logfile of HijackThis v1.99.1
Scan saved at 下午 02:48:26, on 2006/4/27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TEMP\GY8D39.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\system32\wuauclt.exe
D:\JF\Program\Hijack this\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: load=C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: run=C:\WINNT\system32\sxlntr.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.139.66 socks.temphost.ws
O1 - Hosts: 85.249.139.66 j002_fljkdr.fgkfps.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKCU\..\Run: [Repair Service Manager] C:\WINNT\system32\mpcsvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra 'Tools' menuitem: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: OfficeScanNT 即時掃瞄 (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT 防火牆 (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

illukka
2006-04-27, 22:47
hi

lets try to catch the rootkit next:

Download and Save Blacklight (http://www.f-secure.com/blacklight/try.shtml) to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


also :


Download unzip then scan RootkitRevealer.exe
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
when its done go file > save
attach the log back here in your next reply
Not to worry, normal there are alot of items.
Its an intensive scan, I suggest you disconnect from the internet and leave the PC alone until its finished.

so i need to see those two logs, thank you :)

PJFong
2006-04-28, 12:06
Hi,

Here is the Blacklight log:

04/28/06 12:19:06 [Info]: BlackLight Engine 1.0.36 initialized
04/28/06 12:19:06 [Info]: OS: 5.0 build 2195 (Service Pack 4)
04/28/06 12:19:06 [Note]: 7019 4
04/28/06 12:19:06 [Note]: 7005 0
04/28/06 12:19:20 [Note]: 7006 0
04/28/06 12:19:20 [Note]: 7011 1180
04/28/06 12:19:21 [Note]: 7026 0
04/28/06 12:19:21 [Note]: 7026 0
04/28/06 12:19:23 [Note]: FSRAW library version 1.7.1015
04/28/06 12:21:07 [Note]: 7007 0


And here is the Rootkit Revealer log:

HKLM\SOFTWARE\ewido\config\nmqdcp\ryjimw 2006/4/24 3 bytes Hidden from Windows API.
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\TotalScanned 2006/4/28 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\LastScannedFileName 2006/4/28 45 bytes Windows API length not consistent with raw hive data.
C:\Program Files\Trend Micro\OfficeScan Client\Temp\VSSBVF7N.0RV 2006/4/28 0 bytes Hidden from Windows API.

Thanks for your assistence.

illukka
2006-05-02, 22:21
hi

first, sorry for my absence, i got myself a new job that keeps me busy...

lets try doctor web's cure it in safe mode

download doctor webs cureit utility from here:

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

once saved right click it to extract it to its own folder

then reboot to safe mode

open the folder where you extracted cureit and doubleclick on drweb32w.exe
once its initial startup scan is over, click file> scan path. browse to your c:\ drive and click OK

the scan will launch
allow it to clean all infections
after scan is finished and all viruses are cleaned reboot back to normal mode,

could you copy paste the listed infected files here?
the log will be huge, and i dont need to see it all, just the detected viruses
it will be in documents and settings\your userprofile\localsettings\drweb folder

also post a new hijackthis log

PJFong
2006-05-04, 10:16
Hi,

You got a new job, you mean a new career? How nice! congratulations!

Here is the last part of Cureit log with infected and cleaned objects:

[Scan path] C:\
>>C:\WINNT\system32\iexplore.exe infected with BackDoor.Netsnake - deleted
C:\WINNT\system32\config\software.LOG - read error
C:\WINNT\system32\config\default.LOG - read error
C:\WINNT\system32\config\SECURITY - read error
C:\WINNT\system32\config\SECURITY.LOG - read error
C:\WINNT\system32\config\SYSTEM.ALT - read error
C:\WINNT\system32\config\SAM - read error
C:\WINNT\system32\config\SAM.LOG - read error
C:\WINNT\system32\config\SYSTEM - read error
C:\WINNT\system32\config\SOFTWARE - read error
C:\WINNT\system32\config\DEFAULT - read error
C:\Documents and Settings\DSE\NTUSER.DAT - read error
C:\Documents and Settings\DSE\NTUSER~1.LOG - read error
C:\Documents and Settings\DSE\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT - read error
C:\Documents and Settings\DSE\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
>C:\Documents and Settings\DSE\Local Settings\Temp\679906.exe infected with Trojan.Click.1141 - deleted
>C:\Documents and Settings\DSE\Local Settings\Temp\14458062.exe infected with Trojan.Click.1141 - deleted
>C:\Documents and Settings\DSE\Local Settings\Temp\705625.exe infected with Trojan.Click.1141 - deleted
C:\Program Files\RealVNC\vncviewer.exe is riskware program Program.RemoteAdmin - ignored
C:\Program Files\RealVNC\WinVNC\winvnc.exe is riskware program Program.RemoteAdmin - ignored
C:\Program Files\RealVNC\WinVNC\othread2.dll is riskware program Program.RemoteAdmin - ignored
C:\Program Files\RealVNC\WinVNC\vnchooks.dll is riskware program Program.RemoteAdmin - ignored


Scan statistics

Objects scanned: 54047
Infected objects found: 4
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 4
Objects renamed: 0
Objects moved: 0
Objects ignored: 4
Scan speed: 1838 Kb/s
Scan time: 00:22:15



Total session statistics

Objects scanned: 54242
Infected objects found: 4
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 4
Objects renamed: 0
Objects moved: 0
Objects ignored: 5
Scan speed: 1836 Kb/s
Scan time: 00:22:33


And here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 下午 03:08:55, on 2006/5/4
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\TEMP\SED31B.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\JF\Program\Hijack this\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: load=C:\WINNT\system32\sxlntr.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.139.66 socks.temphost.ws
O1 - Hosts: 85.249.139.66 j002_fljkdr.fgkfps.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKCU\..\Run: [Repair Service Manager] C:\WINNT\system32\mpcsvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra 'Tools' menuitem: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: OfficeScanNT 即時掃瞄 (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT 防火牆 (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Thanks for your assistence.

illukka
2006-05-07, 01:01
hi

looks much better

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

open hiacjkthis, click do a system scan only

checkmark the boxes next to these lines:

F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\sxlntr.exe
F3 - REG:win.ini: load=C:\WINNT\system32\sxlntr.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.139.66 socks.temphost.ws
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKCU\..\Run: [RepServ Manager] C:\WINNT\system32\mpcsvc.exe
O4 - HKCU\..\Run: [Repair Service Manager] C:\WINNT\system32\mpcsvc.exe



next close your browser and all explorer windows

and click fix checked


reboot
post a new hjt log

PJFong
2006-05-08, 09:29
Hi,

Here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 下午 02:21:58, on 2006/5/8
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TEMP\VI9357.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINNT\system32\wuauclt.exe
D:\JF\Program\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra 'Tools' menuitem: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: OfficeScanNT 即時掃瞄 (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT 防火牆 (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Thanks for your kind help.

illukka
2006-05-08, 23:05
one more item to fix
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)

then post a fresh hjt log

PJFong
2006-05-09, 07:02
Hi,

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 上午 11:55:10, on 2006/5/9
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TEMP\DS4BE4.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINNT\system32\wuauclt.exe
D:\JF\Program\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra 'Tools' menuitem: Popup Control - {7947B27A-1FB6-4840-8A12-936EA221694F} - C:\Program Files\popup control\PopupControl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS1\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS2\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: Domain = sme.gov.mo
O17 - HKLM\System\CS3\Services\Tcpip\..\{1295D087-BA82-4729-815A-5C51CE222AE4}: NameServer = 192.168.100.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = economia.gov.mo,sme.gov.mo
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: OfficeScanNT 即時掃瞄 (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT 防火牆 (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Thanks for your kind help.

illukka
2006-05-09, 22:48
hi

do you have any spyware scanners installed ?
are those detecting anything

log file looks clean, are the online scanners functioning now?

PJFong
2006-05-10, 06:19
Hi,

I had Spypot S&D and TrendMicro Office Scan installed. I just ran a check, both didn't detect anything.

But when I ran Ewido just now, it detected and cleaned the following 2 items, and it said they are of medium risk level:

path: C:\Documents and Settings\DSE\Cookies\dse@2o7[1].txt; Infected by TrackingCookie.2o7

path: C:\Documents and Settings\DSE\Cookies\dse@ads.pointroll[2].txt; Infected by TrackingCookie.Pointroll

I have no idea what damage it may cause. My PC is running smooth right now.

I appreciate very much for your advice.

illukka
2006-05-11, 22:24
hi

dont worry, those are just cookies ;D


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)

or

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above


Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

also remember to keep your java updated, see this topic for instructions
http://forums.spybot.info/showthread.php?t=2559

PJFong
2006-05-16, 06:12
Hi,

I've finished the Disable and Enable System Restore, enhancing the IE Security, and using firewall. I guess I won't have problem using the anti-virus, anti-spy, anti-ad and other preventive measures.

Although it really caused me a headache to face an infected PC, I appreciate so much for your help and during this time I've learnt so much to keep PC secured.

I would like to express my utmost thanks, and I wish you success in every aspect of your life.

LonnyRJones
2006-05-18, 21:29
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know.