View Full Version : Help battling Malware
Outsider
2006-04-29, 20:19
Like many people it seems, also have command service problems. According to SpyBot, I had a couple of trojans and viruses, like "command service; Look2Me and others" (I mean all those were removed with Spybot, SpySweep, ewido, Panda Antivirus and hijackthis).
I'm pretty sure most of the problems are gone. I ran Hijackthis and I'll post the log.
After I ran Look2Me - destroyer I'm having one slight problem I'm not sure if it is related or not, but lately, I can change all my desktop ( like delete Shortcuts, Add Program Icons, Change Wallpaper, etc..) but when I boot machine next time, all things that I removed (programs icons and shortcuts) appear again, I don't have problem changing wallpaper, removing some icons but with someones I have, like I removed the program BHODemon2, but Ill time that i rebbot the machine a message saying error with BHODemon.lnk and all shortcuts I had deleted apear again. I've removed Panda Titanium 2006 (because I've problems during the instalation) but the files are still in my drive C. It seems that the computer is note savings my personal setting when I logout and it started when I ran Look2Me-Destroyer, despite that I had a lot of malwares.Is it a malware problem, or is it more likely some other thing wrong with the computer? It's not too much of a bother, but it'll be good if it can be fixed. Any ideas?:scratch:
Outsider
2006-04-29, 20:21
Logfile of HijackThis v1.99.1
Scan saved at 12:56:45, on 29/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\VRCCfgService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\WINNT\system32\IIS\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\ECC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ESOE\EDMS\ECP.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\eWorkplace\eWLaunch.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LidPolicy] C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: Monitor de conexão de telefone.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab
O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.ericsson.se/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143827140223
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://host3.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINNT\system32\IIS\svchost.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Access Client Configuration Support (VRCCfgService) - C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Access Client (VRCService) - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
Hello and sorry for the wait.
If you are still in need of assistance please go here and post a link back to this topic to flag a helper.
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
CalamityJane
2006-05-06, 00:29
I'll be happy to look this over for you. Could you please post a fresh HijackThis log so I can see where you are at this point?
In addition, I'd like to see an additional report...Open HijackThis and instead of scan, choose *Open Misc. Tools Section*
From there, choose *Open Uninstall Manager*. Wait while it builds the list. When done, press the *Save List* button. Copy the contents of that report along with the new HijackThis scan log :)
Outsider
2006-05-07, 23:23
Logfile of HijackThis v1.99.1
Scan saved at 16:15:16, on 7/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\VRCCfgService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\WINNT\system32\IIS\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Babylon\Babylon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LidPolicy] C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: Monitor de conexão de telefone.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab
O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143827140223
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://host3.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINNT\system32\IIS\svchost.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Access Client Configuration Support (VRCCfgService) - C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Access Client (VRCService) - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
Outsider
2006-05-07, 23:27
ACDSee
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Agere Systems AC'97 Modem
ATI Display Driver
ATI MOBILITY RADEON 9600 Video Driver
Authorware Web Player
Babylon
Bluetooth by hp
Bluetooth Fix
Canon Camera TWAIN Driver 6.0
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
CentraOne
Chipset Software Installation Utility
Data Access Objects (DAO) 3.5
Dial-Up Client 4.1 for RACOM
DirectX 9 Hotfix - KB839643
Ericsson Fonts
ESOE2000 General Update
ESOE2000ClientUpdate
ewido anti-malware
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix Q296861 (QCHAIN)
Hotfix Q814078
Hotfix Q818043
Hotfix Q820888
Hotfix Q822831
Hotfix Q823353
Hotfix Q824105
Hotfix Q828028
Hotfix Q828741
Hotfix Q829558
Hotfix Q831167
Hotfix Q832353
Hotfix Q832414
Hotfix Q835732
Hotfix Q837001
Hotfix Q839643
Hotfix Q839645
Hotfix Q839654
Hotfix Q840315
Hotfix Q841872
Hotfix Q841873
Hotfix Q842526
HP BIOS Utility
HP Diagnostics for Windows
HP Driver Pack
HP Notebook LidSwitch Policy
IE5 Registration
Intel SpeedStep technology Applet 3.00 B4
Internet Explorer Q903235
InterVideo WinDVD
IRPF2004 - Declaração de Ajuste Anual
IRPF2005 - Declaração de Ajuste Anual
IRPF2006 - Declaração de Ajuste Anual
Kaspersky On-line Scanner
Kazaa Lite Resurrection 0.0.7.6 F
KB244474
KB824151
KB832483
KB833989
KB840987
KB841356
KB841533
KB883939
KB890046
KB890859
KB892944
KB893086
KB893756
KB894320
KB896358
KB896422
KB896423
KB896424
KB896688
KB896727
KB897715
KB898060
KB899587
KB899588
KB899589
KB900725
KB901017
KB901214
KB902400
KB903235
KB904706
KB905414
KB905495
KB905749
KB905915
KB908519
KB908523
KB911564
KB911565
KB912919
Macromedia Flash Player 8
MapInfo Professional 5.0
MapInfo Professional 6.5
MCOM3g V1.0.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft DirectX 9.0
Microsoft Netmeeting
Microsoft Office Professional Edition 2003
Microsoft Streets and Trips 2005
Microsoft VGX Q833989
Monitor Drivers for Compaq 9500, HP L1730 and HP L1702
MSN Messenger 7.0
Multi-Calendar Viewer
NC 8000 Bios V F.17
Office 2000 Hotfix 021211
Office 2000 Hotfix 030226
Office Animation Runtime
Pointsec
Quick Launch Buttons 5.10 A2
RACOM via Internet Client
Receitanet 2006
Saída Definitiva do País 2005
Sametime Java Client
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
SEMC DSS SyncStation Driver
Shockwave and Flash Plug-In
Skype 2.0
SmartForce Player
Sony Ericsson PC Suite 3.2.0
Spybot - Search & Destroy 1.3
SteelRay Project Viewer
Sygate Security Agent 4.1
Symantec AntiVirus Client Special Non-Admin Install
Synaptics Pointing Device Driver
Update Rollup 1 for Windows 2000 SP4
VNC Agent - ESOE Edition
Windows 2000 Hotfix - KB839654
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB898060
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix (SP5) Q818043
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Codecs
Windows Media Player system update (9 Series)
WinRAR archiver
Winzip 8.1
WS_FTP Pro 7
ZSMC USB PC Camera
CalamityJane
2006-05-07, 23:37
Got 'em :)
I'm reviewing these now. It takes a few minutes to go over them and come back with a response.
CalamityJane
2006-05-08, 00:05
Your Spybot is outdated - you need to uninstall it and download and install Spybot v. 1.4
http://www.spybot.info/en/download/index.html
A couple of suspcious looking files I can't identify, I would like for you to get them checked out here:
Virus Total
http://www.virustotal.com/
(Use the browse button to the files, using the path below and submit them)
C:\WINNT\SYSTEM32\WinEvents.dll
C:\WINNT\system32\IIS\svchost.exe (Note the unusual location...it the svchost.exe located in a folder named: IIS. Don't confuse it with the legitimate svchost, located directly in the System32 folder)
Wait while VirusTotal scans the file. It will present a report at the end. Please copy and paste all of the report into notepad and repeat for the second file. Please post the results of both back here.
Outsider
2006-05-08, 00:58
STATUS: FINISHEDComplete scanning result of "WinEvents.dll", received in VirusTotal at 05.08.2006, 00:47:15 (CET).
Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.07.2006 no virus found
BitDefender 7.2 05.07.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 no virus found
ClamAV devel-20060426 05.07.2006 no virus found
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.2 05.07.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortinet 2.71.0.0 05.07.2006 no virus found
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 no virus found
Kaspersky 4.0.2.24 05.08.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.07.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 no virus found
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.139 05.05.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.06.2006 no virus found
Aditional Information
File size: 98304 bytes
MD5: 3e9437091dd889d45c3d7e743247d7b9
SHA1: def2db9c773f4d059f43f0ab1301806eea04d2a4
STATUS: FINISHEDComplete scanning result of "svchost.exe", received in VirusTotal at 05.08.2006, 00:51:50 (CET).
Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.07.2006 no virus found
BitDefender 7.2 05.07.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 Tool.XYNTService.c (Not a Virus)
ClamAV devel-20060426 05.07.2006 no virus found
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.2 05.07.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortinet 2.71.0.0 05.07.2006 no virus found
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 no virus found
Kaspersky 4.0.2.24 05.08.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.07.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 no virus found
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.139 05.05.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.06.2006 no virus found
Aditional Information
File size: 53760 bytes
MD5: ea2e9e72f5bc8ac2549b325a757d321d
SHA1: 82968811c3329c44edf796acaaf3f04618f99d97
I'm installing the new Spybot now.
CalamityJane
2006-05-08, 01:31
Thank you. I'd just like to verify those files. Can you put those two files into a zip file and send in an email to me (by clicking this link)
Outsider
2006-05-08, 01:43
Hi,
I just sent the files to your e-mail and I ran Spybot 1.4 and it find some cookies only.
Outsider
2006-05-09, 17:44
Have you other comments or suggestions ?
CalamityJane
2006-05-10, 01:47
Sorry, I have had connection problems since Sunday night (bad modem), and they got me a replacement today late.
Those two files were ok (as I was at least able to email you that info).
So what problems remain at this point, Outsider?
Outsider
2006-05-10, 21:18
Like one month ago I noticed that my computer was infected by Look2Me and after I ran Look2Me - destroyer I'm having one slight problem I'm not sure if it is related or not, but lately, I can change all my desktop ( like delete Shortcuts, Add Program Icons, Change Wallpaper, etc..) but when I boot machine next time, all things that I removed (programs icons and shortcuts) appear again, I don't have problem changing wallpaper just with links and icons that appear on the desktop, like I removed the program BHODemon2, but when I rebbot the machine a message saying error with BHODemon.lnk it occurs with all icons or links I had deleted, all apear again. I've removed Panda Titanium 2006 (because I've problems during the instalation) but the files were still in my drive C. It seems that the computer is note savings my personal setting when I logout and it started when I ran Look2Me-Destroyer, despite that I had a lot of malwares.Is it a malware problem, or is it more likely some other thing wrong with the computer? It's not too much of a bother, but it'll be good if it can be fixed. Any ideas?
I mean this the problem, can you help me ?
CalamityJane
2006-05-10, 22:31
No, those symtoms would not be caused by running Look2me destroyer. It sounds more like something you have installed is protecting or blocking changes. Is there any notices coming up from software on reboot saying something to advise changes were made/not made?
Outsider
2006-05-10, 22:37
No, it just start to show that message from BHODemon and I see at my desktop all icons that I've deleted back again, but no message from other software saying something like an autorecover, by the way my SO is Windows 2000.
CalamityJane
2006-05-10, 23:14
Let's see if this tool reveals anything:
Download Silent runners here (follow the instructions on that page)
http://www.silentrunners.org/sr_scriptuse.html
If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.
Wait until there is a All Done message !! (this can take more than a few minutes), Then open and post the log next to it.
Outsider
2006-05-11, 02:06
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Internat.exe" = "internat.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"ATIPTA" = "C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe" ["ATI Technologies, Inc."]
"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"LidPolicy" = "C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe" ["Hewlett-Packard"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [null data]
"Protect Tray" = ""C:\Program Files\Pointsec\P95tray.exe"" ["Pointsec Mobile Technologies AB"]
"SmcService" = "C:\PROGRA~1\Sygate\SSA\smc.exe -startgui" ["Sygate Technologies, Inc."]
"VRCNotify" = "C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe" ["Ericsson Enterprise AB"]
"Babylon Client" = "C:\Program Files\Babylon\Babylon.exe -AutoStart" ["Babylon Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"
-> {HKLM...CLSID} = "GbIehObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINNT\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{fc181130-05a0-11d6-8140-000102e745a6}" = "Meu P910i"
-> {HKLM...CLSID} = "Meu P910i"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"
-> {HKLM...CLSID} = "GbPluginObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"
-> {HKLM...CLSID} = "GbPluginObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
INFECTION WARNING! "{26A75E82-BB37-4F5F-98ED-8524EECB9CC9}" = (no title provided)
-> {HKLM...CLSID} = "CHook Object"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\eWorkplace\eWHook.dll" ["Hewlett-Packard Sverige AB"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "pssogina.dll" ["Pointsec Mobile Technologies AB"]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WinEvents\DLLName = "WinEvents.dll" [null data]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoWindowsUpdate"=dword:00000001
[removes Windows Update GUI links and disables web site functionality]
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove links and access to Windows Update}
HIJACK WARNING! "DisableWindowsUpdateAccess"=dword:00000001
[disables Windows Update web site functionality]
{User Configuration|Administrative Templates|Windows Components|
Windows Update|Remove access to use all Windows Update features}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\pscr_nt.SCR" ["Pointsec Mobile Technologies AB"]
Startup items in "edbmja" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\edbmja\Start Menu\Programs\Startup
"BHODemon 2.0" -> shortcut to: "C:\Program Files\BHODemon 2\BHODemon.exe" [file not found]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Check for Pal Update" -> shortcut to: "C:\WINNT\Installer\{171CCEE2-E89C-4C40-8849-EE6D86E9AE7E}\Icon096DFE551.exe" [null data]
"ESOE 2000 Client Update" -> shortcut to: "C:\WINNT\Installer\{82E85313-9E2F-4FDD-9D3A-3FBE2E5EACF1}\Icon82E85313.exe" [null data]
"ESOE Control Center" -> shortcut to: "C:\WINNT\Installer\{2A12A86D-31D8-4144-B61A-364D23F7AAAF}\Icon2A12A86D1.exe" [null data]
"ESOE2000ClientUpdate2" -> shortcut to: "C:\WINNT\Installer\{BD4BDBDF-AB9F-4DF8-89EB-4553F4FA833C}\IconBD4BDBDF.exe" [null data]
"eWorkplace Control Center" -> shortcut to: "C:\WINNT\Installer\{2862D052-7680-4016-8215-43204AA3040A}\Icon2862D052.exe" [null data]
"Monitor de conexão de telefone" -> shortcut to: "C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe" ["Teleca Software Solutions AB"]
"RVIMsgBox.exe" -> shortcut to: "C:\WINNT\Installer\{3A5BD0B8-D1FB-4ED3-92E8-F4771A66E74E}\Icon3A5BD0B81.exe" [null data]
"Visio Viewer Update Check" -> shortcut to: "C:\WINNT\Installer\{90520409-6000-11D3-8CFE-0150048383C9}\Icon905204091.ico" [null data]
"WinVNC" -> shortcut to: "C:\WINNT\Installer\{0AA12B8D-A8A0-46F5-A4DF-6B782772965A}\Icon0AA12B8D.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\WINNT\Installer\{C2361C98-E1D6-4B34-A8DF-3728E2958BA5}\Icon48FB34A8.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Miscellaneous IE Hijack Points
------------------------------
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
Ericsson Access Client, VRCService, "C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe" ["Ericsson Enterprise AB"]
Ericsson Access Client Configuration Support, VRCCfgService, "C:\WINNT\system32\VRCCfgService.exe" ["Ericsson Enterprise AB"]
ESOE Client Inventory Service, ECIS, "C:\Program Files\ESOE\EDMS\ECIS.exe" ["Hewlett-Packard Sverige AB"]
ESOE Log Service, ELogSrv, "C:\Program Files\ESOE\ELogSrv.exe" ["Hewlett-Packard Sverige AB"]
ESOE Process Manager, ESrv, "C:\Program Files\ESOE\ESrv.exe" ["Hewlett-Packard Sverige AB"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
eWorkplace Inventory, Inventory, "C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe" ["Hewlett-Packard Sverige AB"]
eWorkplace Log, LogSvc, "C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe" ["TODO: <Company name>"]
eWorkplace Scheduler, Scheduler, "C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe" ["Hewlett-Packard Sverige AB"]
Microsoft Security Center, Microsoft Security Center, "C:\WINNT\system32\IIS\svchost.exe" [null data]
Pointsec, Pointsec, "C:\WINNT\system32\PROT_SRV.EXE" [null data]
Pointsec service start, Pointsec_start, "C:\WINNT\system32\PSTARTSR.EXE" [null data]
Pointsec update agent, Pointsec_agent, "C:\WINNT\system32\pagents.exe" [null data]
SAVRoam, SAVRoam, "c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe" ["symantec"]
Sygate Security Agent, SmcService, "C:\Program Files\Sygate\SSA\smc.exe" ["Sygate Technologies, Inc."]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe" ["Symantec Corporation"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 2004 seconds, including 16 seconds for message boxes)
CalamityJane
2006-05-11, 02:58
And a fresh HijackThis log please :blush:
I think I missed something, but I've been online 15 hours looking at nothing but logs and I'll revisit this in the a.m.
My apologies if I have but I'm too tired to see straight at the moment :sick:
CalamityJane
2006-05-11, 15:46
I still need a fresh HijackThis log when you get a chance.
Also, in going over the silent runners log, I noticed a few things, but I have some questions.
1. Is this a home or office computer?
2. I see SpySweeper is one of the installed programs. What version is it? When did you install it?
3. Windows update is disabled. Is that on purpose? If not, I need to know so we can fix it.
4. Do you see any errors in the Windows application event log ?
Outsider
2006-05-11, 16:42
Logfile of HijackThis v1.99.1
Scan saved at 09:03:49, on 11/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\VRCCfgService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\WINNT\system32\IIS\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ESOE\ECC.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\ESOE\EDMS\ECP.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Sony Ericsson\Mobile\SyncIndicator.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LidPolicy] C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: Monitor de conexão de telefone.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab
O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.ericsson.se/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143827140223
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://host3.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINNT\system32\IIS\svchost.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Access Client Configuration Support (VRCCfgService)- C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Access Client (VRCService) - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
Outsider
2006-05-11, 17:04
Now teh answer for your questions.
1. Is this a home or office computer?
It's my personal computer that I use to work and like I'm in a contract now the company need to install some stuffs.
2. I see SpySweeper is one of the installed programs. What version is it? When did you install it?
Spy sweep was the last program I installed, It was to remove cmdService (I mean was it), but it was a trial version that expired last week than I've unisntalled.
3. Windows update is disabled. Is that on purpose? If not, I need to know so we can fix it.
Yes, this is one of the premisses to connect to the network of the company that I'm working for now.
4. Do you see any errors in the Windows application event log ?
Yes, some errors, warnings and information, like :
Warnings: The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.
information: The description for Event ID ( 23 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event:
Symantec AntiVirus Realtime Protection Loaded..
Error: Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
DETAIL - Access is denied. , Build number ((2195)).
Error: Windows cannot obtain the domain controller name for your computer network. Return value (59).
CalamityJane
2006-05-11, 18:12
Ok, great. I'll come back to the Windows errors - let me address first a few things I see.
It could be Spybot's teatimer blocking fixes, so let's temporarily disable that to get fix some items that are showing on HijackThis
1) Open Spybot-S&D
2) Go to the Mode menu and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.[/quote]
.........................
Do a *scan only* with HijackThis and when it finishes, place a checkmark next to these entries and press the *fix checked* button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
That F2 entry may indicate a problem with the system.ini file because it would normally look like this:
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe, (though properly configured it would then not show on a HijackThis log).
It could be your Winlogon key has been corrupted by the Look2me infection (not the removal tool, but the infection itself is known to corrupt the Winlogon). It can be restored to default value but it would not restore any settings put there by a program if needed. Norton often uses the Winlogon key, and I'm not seeing that in these logs - therefore could be part of the problem.
Would you look on your computer for the Look2me-Destroyer.txt file that the tool would have created?
CalamityJane
2006-05-11, 19:10
Before I forget, your Sun Java is way outdated and makes your machine vulnerable to malware. You'll need to manually remove ALL old instances of Sun Java (there may be more than one) via the Control Panel in Add/Remove programs. That done, get the latest version of Sun Java here:
http://java.com/en/download/windows_xpi.jsp
.....................................................
You can delete the shortcut to the uninstalled BHOdemon that is located here:
C:\Documents and Settings\edbmja\Start Menu\Programs\Startup
"BHODemon 2.0"
(from the Silent Runners log) -> shortcut to: "C:\Program Files\BHODemon 2\BHODemon.exe" [file not found]
...........................................
And on this key:
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]
Remove only the value data: SsiEft.e and leave the other remaining data alone.
(SsiEft.e is a remnant from SpySweeper)
Outsider
2006-05-11, 19:15
I going to do all you said at night because I busy now and as soon as I finish I'll upload a new log.
Sorry for botter you and Thanks a lot.
CalamityJane
2006-05-12, 21:43
Ok, Outsider,
Whenever it's convenient for you. We'll be here :)
This topic has been closed to prevent others with similar issues posting in it.
Please pm me or CalamityJane to re-open it.
CalamityJane
2006-05-26, 20:25
Thread is open at the request of: Outsider :)
Outsider
2006-05-26, 22:14
Hi,
I've already did all you said, but I still have the same problem, I delete some things from desktop and when I restart the computer those things (files, links, etc..) area back.
*I could disable Spybot teatimer, and it still off;
* I did a *scan only* with HijackThis and placed a checkmark next to the entries you said:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
------------------------------------------------------------------
*I could not uninstall my Java old version, it doesn't show the option to remove!
*About Look2me Destroyer log, I've already deleted , sorry !!
*This is one of those those things that I delete and when I restart the computer is back, I've did again and now it's back again:
C:\Documents and Settings\edbmja\Start Menu\Programs\Startup
"BHODemon 2.0"
(from the Silent Runners log) -> shortcut to: "C:\Program Files\BHODemon 2\BHODemon.exe" [file not found]
__________________
Here is the new Hijack :
Logfile of HijackThis v1.99.1
Scan saved at 11:48:20, on 26/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\VRCCfgService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\WINNT\system32\IIS\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ESOE\ECC.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ESOE\EDMS\ECP.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Sony Ericsson\Mobile\SyncIndicator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINNT\system32\notepad.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.ericsson.com/page/hub_brazil
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LidPolicy] C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: Monitor de conexão de telefone.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - https://host3.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.ericsson.se/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143827140223
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://host3.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINNT\system32\IIS\svchost.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Access Client Configuration Support (VRCCfgService) - C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Access Client (VRCService) - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
Outsider
2006-05-26, 22:41
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Internat.exe" = "internat.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"ATIPTA" = "C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe" ["ATI Technologies, Inc."]
"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"LidPolicy" = "C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe" ["Hewlett-Packard"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [file not found]
"Protect Tray" = ""C:\Program Files\Pointsec\P95tray.exe"" ["Pointsec Mobile Technologies AB"]
"SmcService" = "C:\PROGRA~1\Sygate\SSA\smc.exe -startgui" ["Sygate Technologies, Inc."]
"VRCNotify" = "C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe" ["Enterprise AB"]
"Babylon Client" = "C:\Program Files\Babylon\Babylon.exe -AutoStart" ["Babylon Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"
-> {HKLM...CLSID} = "GbIehObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINNT\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{fc181130-05a0-11d6-8140-000102e745a6}" = "Meu P910i"
-> {HKLM...CLSID} = "Meu P910i"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"
-> {HKLM...CLSID} = "GbPluginObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"
-> {HKLM...CLSID} = "GbPluginObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
INFECTION WARNING! "{26A75E82-BB37-4F5F-98ED-8524EECB9CC9}" = (no title provided)
-> {HKLM...CLSID} = "CHook Object"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\eWorkplace\eWHook.dll" ["Hewlett-Packard Sverige AB"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "pssogina.dll" ["Pointsec Mobile Technologies AB"]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WinEvents\DLLName = "WinEvents.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoWindowsUpdate"=dword:00000001
[removes Windows Update GUI links and disables web site functionality]
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove links and access to Windows Update}
HIJACK WARNING! "DisableWindowsUpdateAccess"=dword:00000001
[disables Windows Update web site functionality]
{User Configuration|Administrative Templates|Windows Components|
Windows Update|Remove access to use all Windows Update features}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\pscr_nt.SCR" ["Pointsec Mobile Technologies AB"]
Startup items in "edbmja" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\edbmja\Start Menu\Programs\Startup
"BHODemon 2.0" -> shortcut to: "C:\Program Files\BHODemon 2\BHODemon.exe" [file not found]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Check for Pal Update" -> shortcut to: "C:\WINNT\Installer\{171CCEE2-E89C-4C40-8849-EE6D86E9AE7E}\Icon096DFE551.exe" [null data]
"ESOE 2000 Client Update" -> shortcut to: "C:\WINNT\Installer\{82E85313-9E2F-4FDD-9D3A-3FBE2E5EACF1}\Icon82E85313.exe" [null data]
"ESOE Control Center" -> shortcut to: "C:\WINNT\Installer\{2A12A86D-31D8-4144-B61A-364D23F7AAAF}\Icon2A12A86D1.exe" [null data]
"ESOE2000ClientUpdate2" -> shortcut to: "C:\WINNT\Installer\{BD4BDBDF-AB9F-4DF8-89EB-4553F4FA833C}\IconBD4BDBDF.exe" [null data]
"eWorkplace Control Center" -> shortcut to: "C:\WINNT\Installer\{2862D052-7680-4016-8215-43204AA3040A}\Icon2862D052.exe" [null data]
"Monitor de conexão de telefone" -> shortcut to: "C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe" ["Teleca Software Solutions AB"]
"RVIMsgBox.exe" -> shortcut to: "C:\WINNT\Installer\{3A5BD0B8-D1FB-4ED3-92E8-F4771A66E74E}\Icon3A5BD0B81.exe" [null data]
"Visio Viewer Update Check" -> shortcut to: "C:\WINNT\Installer\{90520409-6000-11D3-8CFE-0150048383C9}\Icon905204091.ico" [null data]
"WinVNC" -> shortcut to: "C:\WINNT\Installer\{0AA12B8D-A8A0-46F5-A4DF-6B782772965A}\Icon0AA12B8D.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\WINNT\Installer\{C2361C98-E1D6-4B34-A8DF-3728E2958BA5}\Icon48FB34A8.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Miscellaneous IE Hijack Points
------------------------------
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
Access Client, VRCService, "C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe" ["Enterprise AB"]
Access Client Configuration Support, VRCCfgService, "C:\WINNT\system32\VRCCfgService.exe" ["Enterprise AB"]
ESOE Client Inventory Service, ECIS, "C:\Program Files\ESOE\EDMS\ECIS.exe" ["Hewlett-Packard Sverige AB"]
ESOE Log Service, ELogSrv, "C:\Program Files\ESOE\ELogSrv.exe" ["Hewlett-Packard Sverige AB"]
ESOE Process Manager, ESrv, "C:\Program Files\ESOE\ESrv.exe" ["Hewlett-Packard Sverige AB"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
eWorkplace Inventory, Inventory, "C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe" ["Hewlett-Packard Sverige AB"]
eWorkplace Log, LogSvc, "C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe" ["TODO: <Company name>"]
eWorkplace Scheduler, Scheduler, "C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe" ["Hewlett-Packard Sverige AB"]
Microsoft Security Center, Microsoft Security Center, "C:\WINNT\system32\IIS\svchost.exe" [null data]
Pointsec, Pointsec, "C:\WINNT\system32\PROT_SRV.EXE" [null data]
Pointsec service start, Pointsec_start, "C:\WINNT\system32\PSTARTSR.EXE" [null data]
Pointsec update agent, Pointsec_agent, "C:\WINNT\system32\pagents.exe" [null data]
SAVRoam, SAVRoam, "c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe" ["symantec"]
Sygate Security Agent, SmcService, "C:\Program Files\Sygate\SSA\smc.exe" ["Sygate Technologies, Inc."]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe" ["Symantec Corporation"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PrimoMon\Driver = "Primomonnt.dll" [null data]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 12735 seconds, including 5 seconds for message boxes)
CalamityJane
2006-05-26, 23:39
I think we've done all we can do with the malware problems. There is nothing left there to deal with.
The remaining problems with leftover from BHOdemon I can't really help with.
I would suggest either reinstall the program and then uninstall again or get a good registry cleaner for Win2k and after making a backup of your registry search and delete any instances of BHOdemon found. Search for any files left behind. Or contact BHOdemon support to find out the best way to remove it.
Thank you CalamityJane. :)