View Full Version : ISearchTech and Popups
I have gotten myself infected with some malware. I thought I got most of it off with Spybot but am still getting popups of all kinds. Additionally the properties page in My Network Places and the Device Manager page in system properties are both blank. I am posting my hjt log. Can you help?
Logfile of HijackThis v1.99.1
Scan saved at 6:58:28 AM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\SKYWARD\DDLC\bin\AdmSrvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\Realmon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\thobson\LOCALS~1\Temp\JobMonitor\JobMonitor.exe
D:\Program Files\Pumatech\Intellisync\AgentWCE.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\SKYWARD\DDLC\jre\bin\java.exe
d:\Novell\Messenger\NMCL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\downloads\hijacker\HijackThis.exe
C:\WINDOWS\system32\HPBPRO.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdaschools.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.6:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\Realmon.exe -s
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ScreenPrint32] D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EFI Job Monitor] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\efjm.dll,run
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GroupWise Notify.lnk = D:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Intellisync Windows CE Configure.lnk = D:\Program Files\Pumatech\Intellisync\syncwce.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128005520750
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://adminsys-tom/website/install/j2re-1_4_2-windows-i586.exe
O16 - DPF: {9D887407-4690-45C0-9451-15CD63E615CA} (BOSIRichEditActiveX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} (BOSIActiveFormX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXGrid.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emasupport.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - d:\Novell\Messenger\nmcg32.dll
O23 - Service: AdminService for PROGRESS 9.1D (AdminService9.1D) - Unknown owner - C:\SKYWARD\DDLC\bin\AdmSrvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
little eagle
2005-11-24, 03:08
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
Then post the report here and a new hijackthis log reboot before doing this.
I tried to download the Ewido suite but my anti-virus software says that it is infected with the win32/istbar.65280! trojan!
little eagle
2005-11-28, 18:56
I assure it isn't ;) disable your AV download it and run per instructions:cool:
Ok here are the logs. Ewido did find 4 infections in the registry and removed them. I had to leave my computer running to finish the scan when I left last night and we had some power problems. I was able to see that the scan finished and didn't find anymore infections but wasn't able to save the log this morning. I ran a subsequent scan this morning. It came up clean and I have included the report from it. I ran hijackthis and am including the log from it. Thanks for you assistance.
Tom
Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:25:29 AM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\SKYWARD\DDLC\bin\AdmSrvc.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\thobson\LOCALS~1\Temp\JobMonitor\JobMonitor.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Pumatech\Intellisync\AgentWCE.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPBPRO.EXE
D:\downloads\hijacker\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdaschools.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.6:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [ScreenPrint32] D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [EFI Job Monitor] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\efjm.dll,run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GroupWise Notify.lnk = D:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Intellisync Windows CE Configure.lnk = D:\Program Files\Pumatech\Intellisync\syncwce.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128005520750
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://adminsys-tom/website/install/j2re-1_4_2-windows-i586.exe
O16 - DPF: {9D887407-4690-45C0-9451-15CD63E615CA} (BOSIRichEditActiveX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} (BOSIActiveFormX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXGrid.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emasupport.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - d:\Novell\Messenger\nmcg32.dll
O23 - Service: AdminService for PROGRESS 9.1D (AdminService9.1D) - Unknown owner - C:\SKYWARD\DDLC\bin\AdmSrvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Ewido Report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:12:07 AM, 11/29/2005
+ Report-Checksum: B460C7AB
+ Scan result:
No infected objects found.
::Report End
little eagle
2005-11-29, 23:22
Do you know what this program is? if not can you zip and upload the file in bold.
here (http://forums.security-central.us/showthread.php?t=270)
C:\SKYWARD\DDLC\bin\AdmSrvc.exe
Yes that program is a service that I run to be able to start and stop a progress database engine for some software we use here.
Tom
little eagle
2005-11-30, 00:23
Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Don't use your computer while RKR is scanning.
Start RKR, wait about 10 seconds, click Scan, then leave computer untouched until it completes. An idle machine will minimise the possibility of false positive reports caused by changes to the system during the scan. Background processes may still make intermittent changes, but resulting discrepancies tend to be obvious from their registry or filesystem branch; on a re-scan many may not recur.
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.
Copy/Paste the contecnts of that logfile into your next reply
Here is the report from RookitRevealer. It looks like there are some problems out there. Let me know where to go from here. It appears that I need to split this into 2 posts. The second is to follow.
HKLM\SOFTWARE\CuiU8AD5JU2m 11/28/2005 6:27 AM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/30/2005 6:26 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CDFRTER 11/28/2005 6:27 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Cdfrter 11/30/2005 6:19 AM 0 bytes Hidden from Windows API.
C:\Program Files\Neteting 11/30/2005 5:13 AM 0 bytes Hidden from Windows API.
C:\Program Files\Neteting\ace.dll 11/28/2005 6:27 AM 568.00 KB Hidden from Windows API.
C:\Program Files\Neteting\AI_28-11-2005.log 11/28/2005 6:28 AM 3 bytes Hidden from Windows API.
C:\Program Files\Neteting\AI_29-11-2005.log 11/29/2005 12:00 AM 3 bytes Hidden from Windows API.
C:\Program Files\Neteting\AI_30-11-2005.log 11/30/2005 5:13 AM 3 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache 11/30/2005 6:19 AM 0 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000029_438b17e6_00016e36 11/30/2005 5:14 AM 37.34 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000029_438b24ca_00081b32 11/30/2005 6:16 AM 12.10 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000029_438b2f58_00057bcf 11/29/2005 2:32 PM 2.31 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000029_438c58b8_0008583b 11/30/2005 6:19 AM 1.13 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000029_438c7320_0001312d 11/29/2005 7:26 AM 41.90 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000029_438c7840_0006acfc 11/29/2005 7:48 AM 110 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000001eb_438b3c0a_0002dc6c 11/28/2005 9:19 AM 12.93 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000001eb_438cd9a3_0002dc6c 11/30/2005 5:24 AM 3.11 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000bb3_438b473d_00094c5f 11/28/2005 10:06 AM 937 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000bb3_438cd9a9_00000000 11/29/2005 2:43 PM 5.33 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00000f3e_438b4743_0006ea05 11/28/2005 10:06 AM 937 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000012db_438b4742_0007de29 11/28/2005 10:06 AM 0 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\0000153c_438b4743_0000b71b 11/28/2005 10:06 AM 937 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00001649_438b2f5b_0007270e 11/28/2005 8:24 AM 5.25 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00001649_438c74c0_0001ab3f 11/29/2005 7:33 AM 67.91 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00001649_438cd720_000a4083 11/29/2005 2:33 PM 60.71 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438b18b3_00090f56 11/28/2005 6:48 AM 25.50 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438b24d1_0000b71b 11/28/2005 7:40 AM 98 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438b2f58_000dd40a 11/28/2005 8:24 AM 232 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438c7095_000e1113 11/29/2005 7:15 AM 455 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438c732e_0009c671 11/29/2005 7:27 AM 51.19 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438c8f1e_0001ab3f 11/29/2005 9:25 AM 54.19 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000018be_438db4ee_000b34a7 11/30/2005 6:21 AM 21.55 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000026e9_438b2f68_000632ea 11/28/2005 8:25 AM 0 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000026e9_438cd9a0_000d59f8 11/29/2005 2:43 PM 4.10 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002cd6_438b285d_0001ab3f 11/30/2005 6:13 AM 120 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002cd6_438b2f5a_000cdfe6 11/28/2005 8:24 AM 235 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002cd6_438c7097_0002dc6c 11/29/2005 7:15 AM 468 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002cd6_438c7351_000a037a 11/29/2005 7:27 AM 150.95 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002cd6_438cd70e_00044aa2 11/29/2005 2:32 PM 4.32 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002ea6_438b4742_0000b71b 11/28/2005 10:06 AM 15.79 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00002ea6_438cd9a9_00040d99 11/29/2005 2:43 PM 220 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\0000390c_438b4743_0006ea05 11/28/2005 10:06 AM 937 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00003d6c_438b285c_000d59f8 11/28/2005 7:55 AM 3 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00003d6c_438b2f5a_000aba95 11/28/2005 8:24 AM 455 bytes Hidden from Windows API.
Here is the second part of the log from rookitrevealer.
Tom
C:\Program Files\Neteting\Cache\00003d6c_438c7096_0007de29 11/29/2005 7:15 AM 602 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00003d6c_438c734f_000f0537 11/29/2005 7:27 AM 2.71 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00003d6c_438cd70d_000aba95 11/29/2005 2:32 PM 1.01 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000041bb_438b2f5c_000487ab 11/28/2005 8:25 AM 64.30 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000041bb_438c751c_000d1cef 11/29/2005 2:36 PM 12.04 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000041bb_438cd797_0005f5e1 11/29/2005 2:35 PM 7.44 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004823_438b18ac_000a4083 11/28/2005 6:48 AM 22.32 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004823_438b24cf_000c28cb 11/29/2005 7:48 AM 5.38 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004823_438b2f58_000a4083 11/29/2005 2:32 PM 454 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004823_438c7095_0005b8d8 11/29/2005 7:15 AM 17.46 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004823_438c7327_00098968 11/29/2005 7:26 AM 2.65 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004823_438c7841_000a037a 11/29/2005 7:48 AM 1001 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004ae1_438b24d1_00089544 11/28/2005 7:40 AM 809 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004ae1_438b2f5a_00007a12 11/28/2005 8:24 AM 5.21 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004ae1_438c7096_00076417 11/29/2005 7:15 AM 453 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004ae1_438c734f_000baeb9 11/29/2005 7:27 AM 563 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00004ae1_438cd70c_0007270e 11/29/2005 2:32 PM 224 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00005af1_438b2f5b_000b34a7 11/29/2005 2:32 PM 264 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00005af1_438c74e9_0008d24d 11/29/2005 7:34 AM 63.83 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00005af1_438cd794_000baeb9 11/29/2005 2:35 PM 480 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00005f90_438b2f5b_00029f63 11/29/2005 2:32 PM 708 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00005f90_438c7355_00057bcf 11/29/2005 7:27 AM 5.87 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00005f90_438cd714_000c28cb 11/29/2005 2:32 PM 776 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006784_438b18c7_000b71b0 11/28/2005 6:48 AM 192 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006784_438b24d1_00044aa2 11/28/2005 7:40 AM 721 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006784_438b2f59_0006ea05 11/28/2005 8:24 AM 1.05 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006784_438c7096_0003567e 11/29/2005 7:15 AM 455 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006784_438c734e_0006acfc 11/29/2005 7:27 AM 1.23 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006784_438cd6fc_000dd40a 11/29/2005 2:32 PM 57.57 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006952_438b2f5b_0001312d 11/28/2005 8:24 AM 1.12 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006952_438c7354_00044aa2 11/29/2005 7:27 AM 1.16 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006952_438cd714_000b34a7 11/29/2005 2:32 PM 6.57 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006df1_438b2f5b_000aba95 11/28/2005 8:24 AM 5.08 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006df1_438c74c5_0008583b 11/29/2005 7:33 AM 592 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00006df1_438cd788_000e1113 11/29/2005 2:34 PM 71.09 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000072ae_438b285d_000a4083 11/30/2005 6:13 AM 120 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\000072ae_438b2f5a_000ec82e 11/28/2005 8:24 AM 1.03 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000072ae_438c7353_000bebc2 11/29/2005 7:27 AM 1.26 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\000072ae_438cd714_0007de29 11/29/2005 2:32 PM 382 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\00007e87_438b4743_0000f424 11/28/2005 10:06 AM 937 bytes Hidden from Windows API.
C:\Program Files\Neteting\Cache\dns 11/30/2005 6:24 AM 4.27 KB Hidden from Windows API.
C:\Program Files\Neteting\Cache\index 11/30/2005 6:21 AM 8.00 KB Hidden from Windows API.
C:\Program Files\Neteting\data.bin 11/28/2005 6:27 AM 114.94 KB Hidden from Windows API.
C:\Program Files\Neteting\itintr32.exe 11/30/2005 6:19 AM 912.00 KB Hidden from Windows API.
C:\Program Files\Neteting\jviirdao.exe 11/28/2005 6:27 AM 164.00 KB Hidden from Windows API.
C:\Program Files\Neteting\WinGenerics.dll 11/28/2005 6:27 AM 576.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\sec02nt5.sys 11/28/2005 6:27 AM 12.00 KB Hidden from Windows API.
C:\WINDOWS\system32\p2bbdycc.exe 11/28/2005 6:27 AM 488.00 KB Hidden from Windows API.
little eagle
2005-11-30, 23:50
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
Here is the Aproposfix log:
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\thobson\Desktop\aproprsfix\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CuiU8AD5JU2m]
@="uHJVXIVeffeffgfUPj56ZGeffeuhfA 1v2A6fWcWXIQlkfHVMZIVWfWIGikRXngWcW"
"Device"="\\\\.\\ql1RSvc"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\sec02nt5.sys"
"DriverName"="Cdfrter"
"HideUninstallerName"="C:\\Program Files\\Neteting\\jviirdao.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\custepad.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{FE208787-844D-449A-8C1A-47770C19E12D}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\dnsqdvd.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X6e4868d-37e8-1ca9-b634-7603a9262637}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
************
Removing hidden service:
Service Cdfrter removed.
Removing hidden folder:
Deletion of folder Neteting succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\sec02nt5.sys succeeded!
Deletion of file C:\WINDOWS\system32\p2bbdycc.exe succeeded!
Deletion of file C:\WINDOWS\system32\dnsqdvd.dll succeeded!
Deletion of file C:\WINDOWS\system32\custepad.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CuiU8AD5JU2m]
[-HKEY_LOCAL_MACHINE\Software\CuiU8AD5JU2m]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE208787-844D-449A-8C1A-47770C19E12D}]
Done!
Finished!
Here is the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:21:50 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\SKYWARD\DDLC\bin\AdmSrvc.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\thobson\LOCALS~1\Temp\JobMonitor\JobMonitor.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Pumatech\Intellisync\AgentWCE.Exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\downloads\hijacker\HijackThis.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPBPRO.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdaschools.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.6:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [ScreenPrint32] D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [EFI Job Monitor] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\efjm.dll,run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GroupWise Notify.lnk = D:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Intellisync Windows CE Configure.lnk = D:\Program Files\Pumatech\Intellisync\syncwce.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128005520750
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://adminsys-tom/website/install/j2re-1_4_2-windows-i586.exe
O16 - DPF: {9D887407-4690-45C0-9451-15CD63E615CA} (BOSIRichEditActiveX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} (BOSIActiveFormX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXGrid.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emasupport.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - d:\Novell\Messenger\nmcg32.dll
O23 - Service: AdminService for PROGRESS 9.1D (AdminService9.1D) - Unknown owner - C:\SKYWARD\DDLC\bin\AdmSrvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Let me know where we go from here. It looked like maybe it cleaned up the stuff that was found earlier!
Thanks
Tom
little eagle
2005-12-02, 04:05
This looks like a good place to start . http://forums.spybot.info/showthread.php?t=279
Not really seeing anything that needs fixing.:bigthumb:
Thank you for all you assistance. Everything looks good on this end. I will definitely be more careful even when I think I am on the trusted site (I was actually on a look alike site).
Thanks again
Tom
little eagle
2005-12-02, 14:51
SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing".
Home Page (http://www.corestreet.com/spoofstick/)
Download SpoofStick for Internet Explorer or for Firefox.
As the problem appears to be resolved this topic will be archived.
If you need the topic reopened please pm me.
Glad we could help.