Can't Remove Look2Me

Looks like about 80% success...

Logfile of HijackThis v1.99.1
Scan saved at 10:41:37 AM, on 4/2/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\csrss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
 
I tried it using Safe Mode with Networking (sorry to be impatient, but I have all day to work on this today, and once I'm back to work tomorrow, it becomes more difficult). The resulting new log is identical to the last one I posted, except for the time stamp -- it's just the "F2" entries that refuse to go away. What's next? :scratch:
 
I just realized you have another serious infection there.

==

Please download Haxfix.exe:
  • Save it to your desktop.
  • Double-click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
  • Checkmark "Create a desktop icon".
  • Click "Next".
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
  • Click "Finish".
  • A red "dos window" (dos box) will open.
  • Select option 1. Make logfile by typing 1 and then pressing Enter.
  • Haxfix will start scanning the computer. When it is finished a logfile will open.
  • Copy the contents of that logfile and paste it into this thread. :bigthumb:
 
Here is the haxlog.txt file:

HAXFIX logfile - by Marckie
--------------
Mon 04/03/2006 6:41:58.48

checking for ps.a3d....
ps.a3d is present!

checking for matching notify keys....
matching notify keys found
winm

checking for matching services....
matching services found
winm32
winm64

checking for matching safeboot services....
matching safeboot services found
winm32.sys
winm64.sys
 
Option 3 Manual fix:
  • Open the following folder: C:\Program Files\Haxfix\
  • Double-click on Fix.bat.
  • Close all other open windows since this step requires a reboot.
  • Select option 3. Run manu fix by typing 3 and then pressing Enter.
This message will appear:
echo Insert the haxdoorkey,
and then press Enter:
Click to expand...
  • Type the following: winm
    When this is a valid choice, the key will be added to delete.
  • There is the possibility to add a new key: Yes (type Y) or No (type N).
    Followed by this message:
    Haxdoorkey winm added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:
    Click to expand...
  • Type N for No and press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of the logfile together with a new HijackThis log. :bigthumb:
 
Here ya go... I hope this is good! :)

HAXFIX logfile - by Marckie
--------------
Mon 04/03/2006 9:23:16.37

Manual Haxdoorfix

Adding haxdoorkeys to delete...
winm


haxdoor key: winm
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS


rebooting the computer.....


haxdoor key: winm
searching for services....
services not found

checking if files are found.....
winm32.dll exist
winm32.sys exist
winm64.sys exist
winm16.dll not found
winm16.sys not found
winm24.sys not found
winmxt.dll not found
winmxt.sys not found
winmxm.sys not found

deleting files.....

checking if files are deleted.....


checking for other files.....
qy.sys exist
qz.dll exist
qz.sys exist
klogini.dll exist
p3.ini exist
ps.a3d exist
klgcptini.dat not found
qm.dll not found
qm.sys not found
qy.dll not found
zq.dll not found
zq.sys not found
stt82.ini not found
klo5.sys not found
fux87.ini not found
set87.ini not found

deleting other files.....

checking if the files are deleted.....


Finished

======

Logfile of HijackThis v1.99.1
Scan saved at 9:33:27 AM, on 4/3/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\WINNT\SYSTEM32\cmd.exe
F:\WINNT\system32\net.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
 
Better ;)

Hmm. We still have the dang F2 entries to get rid of. I modified the regfix a bit.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fix.reg to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="F:\\WINNT\\System32\\userinit.exe,dvqiqyw.exe"
Click to expand...

Now double-click on the Fix.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Reboot.

==

After reboot, run a scan with HijackThis and check the following objects for removal:

F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

Close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Post back a new log and let me know if you have any issues with the PC. :)
 
Last edited by a moderator:
This was interesting...

1) I imported your fix.reg file -- the entire contents of the WinLogon key were removed -- I hope this was what was intended!
2) Both the shell= and userinit= came back within a few seconds of the import
3) I ran HJT and told it to fix the F2 entires (the 020 entry was not present)
4) I rebooted
5) I ran HJT and the F2 entries were still present
6) I reimported your fix.reg -- this time neither of the F2 entries came back into the registry
7) I rebooted -- the Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe was back in the registry, but the userinit= line was not
8) I ran HJT -- both F2 entries were present, but the userinit line was just Userinit=
9) I told HJT to fix both F2 entries -- after this, looking at the registry, both bad entries were back!
10) I repeated steps 4) thru 7) -- the current HJT log is below. Hope to hear from you soon! :)

Logfile of HijackThis v1.99.1
Scan saved at 8:05:14 PM, on 4/3/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\cmd.exe
F:\WINNT\regedit.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
 
Whoops, there should be a step 11)... I ran HJT and told it to fix ONLY the F2 entry for shell= line. The log I posted was generated after doing that.
 
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :)
 
Whew! Only a few hundred thousand files to scan.... here's the Activescan report:

Incident Status Location

Adware:Adware/Qoologic Not disinfected F:\WINNT\System32\hysawbh.dll
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@c5.zedo[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@maxserving[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@realmedia[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@trafficmp[1].txt
Spyware:Cookie/Adserver Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@zedo[2].txt
Adware:Adware/PurityScan Not disinfected C:\Veracruz.exe
Virus:Trj/NetCat.A Not disinfected 2001\Inbox\Utils\Netcat For windows\ncnt090.zip[netcat.exe]
Virus:EICAR-AV-TEST-FILE Not disinfected 2002\Sent Items\RE: Odd request, but what's new... :)\EICAR.COM
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools\psexec.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools\pskill.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools.zip[pskill.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools.zip[psexec.exe]
Virus:Trj/Qoologic.J Not disinfected F:\avenger\backup.zip[rbjef.exe]
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@c5.zedo[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@maxserving[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@realmedia[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@trafficmp[1].txt
Spyware:Cookie/Adserver Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\bithead.001\Cookies\bithead@zedo[2].txt
Potentially unwanted tool:Application/Psshutdown.A Not disinfected F:\WINNT\psshutdown.exe
Adware:Adware/Qoologic Not disinfected F:\WINNT\system32\hohdr.dat
 
Well, this just keeps getting more interesting! From the ActiveScan log it appears that QooLogic is still the culprit to be eliminated. So, I took a look at QLOCATE.BAT as provided with the FindQool tool, and then at LOCATE.COM. It turns out that LOCATE.COM is able to see files on my PC that nothing else can! For example, here I manually execute a line from the batch file:

F:\FindQool>LOCATE %WinDir%\System32\???????.exe /D- /D:T-5M /S:23552! /NR /N
F:\WINNT\SYSTEM32\DVQIQYW.EXE
Click to expand...

It successfully located the file listed. Similarly, just typing a command results in another file being seen:

F:\FindQool>locate \winnt\system32\brsag*

F:\WINNT\SYSTEM32\
brsags.exe Thu Mar 30 2006 12:45:04p A.... 127,488 124.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 127,488 bytes 124.50 K
Click to expand...

But the really strange thing is that I cannot see either of those files from Explorer or a command prompt. I have Explorer configured to show everything, and in a command prompt environment, DIR with the /ah and /as options comes up empty for the above files.

So, why can LOCATE.COM see these things, but nothing else can? And more importantly, how can I get rid of these invisible files? :scratch: (Please hurry! I haven't much hair left!)
 
Progress! I was able to use Killbox.exe to get rid of the "super hidden" files. FYI, these included:

F:\WINNT\SYSTEM32\brsags.exe
F:\WINNT\SYSTEM32\dvqiqyw.exe
F:\WINNT\SYSTEM32\rbjef.exe
F:\WINNT\SYSTEM32\hysawbh.dll
F:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\tyebm.exe

Then I ran HJT and told it to get rid of the pesky F2 entries -- after rebooting, they're still gone! FindQool is still reporting a couple of registry entries that I need to remove, but it doesn't tell me quite where they are so I may need some help there. Here are the FindQool and HJT logs.

Thanks for all your help! Please let me know if I appear healthy again.

Wed 04/05/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

F:\WINNT\SYSTEM32\HOHDR.DAT
Re-check using dir /a:-d
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"biwrfq"="F:\\WINNT\\System32\\brsags.exe reg_run"
HKCU
"wfesh"="F:\\WINNT\\System32\\brsags.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ F:\WINNT\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006

=====

Logfile of HijackThis v1.99.1
Scan saved at 1:32:17 PM, on 4/5/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\cmd.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [biwrfq] F:\WINNT\System32\brsags.exe reg_run
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [wfesh] F:\WINNT\System32\brsags.exe reg_run
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
 
:bigthumb: I did a regedit search and removed everything with 'brsags' in it, rebooted and all looks good. I hadn't noticed brsags in the HJT log before, but now it's gone... :)

Logfile of HijackThis v1.99.1
Scan saved at 2:21:48 PM, on 4/5/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\cmd.exe
F:\WINNT\system32\notepad.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.17:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
 
I'm soo sorry for the delay in replies, I have lost the subscription somewhere :scratch:

Your latest log looks good. Can you please post another Panda & FindQool log to look at :)
 
Yay, you're back! I'm glad you found me again! :)

Here is the FindQool log. There are literally over a million files on this PC, so the Panda scan needs hours to run. I'll post back with it as soon as I can. Please don't forget about me! ;)

Fri 04/07/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir /a:-d
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ F:\WINNT\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006
 
I'm not out of the woods yet. During the Panda scan, my realtime virus scanner popped this message up on the screen:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: C:\ac2_0003.exe
Location: Quarantine
Computer: W2KPRO-1
User: bdoster
Action taken: Quarantine succeeded : Access denied
Date found: Friday, April 07, 2006 7:18:07 AM

Any idea where that might be coming from? Since my post of a few days ago, the machine has been running fine.
 
Your FindQool log looks good.

Lets try Kaspersky instead of Panda (I just want to make sure nothing is left out of the fix..):

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
 
Panda is almost half finished right now. I think I'll let it complete, then run the Kapersky scan. Stay tuned... ;)
 
Panda's ActiveScan is below. In the meantime, another virus infected file was found during the scan:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: F:\!KillBox\dvqiqyw.exe
Location: Quarantine
Computer: W2KPRO-1
User: bdoster
Action taken: Quarantine succeeded : Access denied
Date found: Friday, April 07, 2006 9:51:34 AM

This one is a backup made by Killbox before deleting the file, and the file was part of the original Qoologic infection. Maybe it copied itself but was never activated, and that's where the first one came from? You would know better than I -- I am completely guessing at this point.

I'll do the Kapersky scan now. Here is the new Panda scan:


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@adopt.hbmediapro[2].txt
Adware:Adware/PurityScan Not disinfected C:\Veracruz.ex_
Virus:Trj/NetCat.A Not disinfected 2001\Inbox\Utils\Netcat For windows\ncnt090.zip[netcat.exe]
Virus:EICAR-AV-TEST-FILE Not disinfected 2002\Sent Items\RE: Odd request, but what's new... :)\EICAR.COM
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools\psexec.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools\pskill.exe
Potentially unwanted tool:Application/Pskill.E Not disinfected D:\iFolder\SysInternals\Pstools.zip[pskill.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected D:\iFolder\SysInternals\Pstools.zip[psexec.exe]
Adware:Adware/Qoologic Not disinfected F:\!KillBox\brsags.exe
Adware:Adware/Qoologic Not disinfected F:\!KillBox\hohdr.dat
Adware:Adware/Qoologic Not disinfected F:\!KillBox\hysawbh.dll
Virus:Trj/Qoologic.J Not disinfected F:\!KillBox\rbjef.exe
Adware:Adware/Qoologic Not disinfected F:\!KillBox\tyebm.exe
Virus:Trj/Qoologic.J Not disinfected F:\avenger\backup.zip[rbjef.exe]
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\bdoster.001\Cookies\bdoster@adopt.hbmediapro[2].txt
Potentially unwanted tool:Application/Psshutdown.A Not disinfected F:\WINNT\psshutdown.exe

I had located the Veracruz file a few days ago and renamed it. Eicar.com and netcat.exe are in old email archives (Outlook PST files), so are no immediate threat. The ps* files are part of Sysinternals (a set of utils worth looking up if you're not familiar with them!) and are all OK. Everything else other than the cookies are backups made by malware killers throughout this fun time we're having here. :p So, it looks pretty good to me, but I'll let you be the judge.

Thank you for your help!
 
You must log in or register to reply here.
Back
Top