Hi
For the last few weeks I have been noticing suspicious activity on my laptop (mainly that dial up connection started coming up automatically on startup and that items of outbound mail were being sent when I didn't write any). I have Norton Anti virus which detected nothing, ran stinger same result. Got Spyware Nuker and got rid of loads of spyware (cookies mainly). Also go Sygate personal firewall and have noticed that I had a few suspicious items which I managed to at least block if not get rid of. However, ther still seems to be a fair bit of stuff - a rand.32 file that Norrton cannot get rid of; r_server.exe (which I have been told is a virus but is not detected); services.exe plus a few others. All of these may be harmless but I am not sure. Sygate still tells me about activity that I have not initiated and just need to know where to go next.
Hijack this log as requested - any help or reassurance gratefully appreciated
:unsure: :unsure:
Logfile of HijackThis v1.97.7
Scan saved at 12:57:06, on 20/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\srvany.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\QHFOTCZ2\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C02095A-CF5C-427F-8957-0E65EFD66203} - C:\WINNT\system32\akhikye.dll
O2 - BHO: (no name) - {A8703B23-F42D-4044-8354-C0C249DADFD3} - C:\WINNT\system32\moz030715s.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
O4 - HKCU\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adviser Office Taskbar.lnk = First\1stdir32\Program\Taskbar.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4D26F531-49A6-11D8-8159-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_03/install.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {57684CE6-FA5A-11D7-812A-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_01/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.1849884259
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AC99A6A7-7E76-11D8-8187-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_05/install.cab
O16 - DPF: {C943AF13-6207-11D8-816E-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_04/install.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/vip_236/w...OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB092734-3CC3-474E-A854-6BFE8C58E432}: NameServer = 212.50.160.100 213.249.130.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = meridian.local
Full Version: Grateful for any help
Hi michael :)
First this:
http://forum.gladiator-antivirus.com/index...showtopic=10517
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use "c:\Programs\hijackthis\" but feel free to use any name.
First this:
http://forum.gladiator-antivirus.com/index...showtopic=10517
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use "c:\Programs\hijackthis\" but feel free to use any name.
Hi Olja
have placed Hijack this into it's own folder, run spyware, antivirus etc
thanks for your reply
have placed Hijack this into it's own folder, run spyware, antivirus etc
thanks for your reply
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\QHFOTCZ2\HijackThis[1].exe
it says Temporary Internet Files or I'm stupid..... :blink:
it says Temporary Internet Files or I'm stupid..... :blink:
In other words it helps if I re run the scan and post the new log after moving Hijack this to it's own folder :)
Logfile of HijackThis v1.97.7
Scan saved at 15:27:32, on 20/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\srvany.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wisptis.exe
C:\Program Files\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C02095A-CF5C-427F-8957-0E65EFD66203} - C:\WINNT\system32\akhikye.dll
O2 - BHO: (no name) - {A8703B23-F42D-4044-8354-C0C249DADFD3} - C:\WINNT\system32\moz030715s.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
O4 - HKCU\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adviser Office Taskbar.lnk = First\1stdir32\Program\Taskbar.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1843023.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4D26F531-49A6-11D8-8159-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_03/install.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {57684CE6-FA5A-11D7-812A-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_01/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.1849884259
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AC99A6A7-7E76-11D8-8187-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_05/install.cab
O16 - DPF: {C943AF13-6207-11D8-816E-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_04/install.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/vip_236/w...OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB092734-3CC3-474E-A854-6BFE8C58E432}: NameServer = 212.50.160.100 213.249.130.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = meridian.local
Logfile of HijackThis v1.97.7
Scan saved at 15:27:32, on 20/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\srvany.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wisptis.exe
C:\Program Files\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C02095A-CF5C-427F-8957-0E65EFD66203} - C:\WINNT\system32\akhikye.dll
O2 - BHO: (no name) - {A8703B23-F42D-4044-8354-C0C249DADFD3} - C:\WINNT\system32\moz030715s.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
O4 - HKCU\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adviser Office Taskbar.lnk = First\1stdir32\Program\Taskbar.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1843023.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4D26F531-49A6-11D8-8159-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_03/install.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {57684CE6-FA5A-11D7-812A-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_01/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.1849884259
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AC99A6A7-7E76-11D8-8187-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_05/install.cab
O16 - DPF: {C943AF13-6207-11D8-816E-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_04/install.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/vip_236/w...OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB092734-3CC3-474E-A854-6BFE8C58E432}: NameServer = 212.50.160.100 213.249.130.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = meridian.local
QUOTE (michaeldcurran @ Apr 20 2004, 02:34 PM)
In other words it helps if I re run the scan and post the new log after moving Hijack this to it's own folder :)
It helps-you :)
Good job :thumb: now wait....
Wave.gif
Hi michael and welcome! 
You have quite a bit of junk running on there and it certainly looks viral.
First, get rid of this item immediately using HiJackThis
Close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the box next to it, then press *fix checked*
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1843023.cab
and reboot your PC so HJT can delete it
Next Open your Task Manager and if you see any of these .exe files running, click on them and press *end process* (the exe files are named at the end of each entry). To open your Task Manager just rightclick on a blank spot on your desktop.
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
Plus any other processes that you think look suspect
Immediately go get an online AV scan at one of the following (Panda preferred so you can save the report at the end in a text file and paste the findings back here)
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/
eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx
.............................................
Next, you need to download and clean with this free program as I'm sure it will find more junk on your PC.
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make these green also:
Automatically mark all objects in result list
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Now, after doing all that, scan once more with HijackThis and post a new log so we can see what remains to be fixed.
You have quite a bit of junk running on there and it certainly looks viral.
First, get rid of this item immediately using HiJackThis
Close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the box next to it, then press *fix checked*
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1843023.cab
and reboot your PC so HJT can delete it
Next Open your Task Manager and if you see any of these .exe files running, click on them and press *end process* (the exe files are named at the end of each entry). To open your Task Manager just rightclick on a blank spot on your desktop.
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
Plus any other processes that you think look suspect
Immediately go get an online AV scan at one of the following (Panda preferred so you can save the report at the end in a text file and paste the findings back here)
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/
eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx
.............................................
Next, you need to download and clean with this free program as I'm sure it will find more junk on your PC.
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make these green also:
Automatically mark all objects in result list
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Now, after doing all that, scan once more with HijackThis and post a new log so we can see what remains to be fixed.
HI Calamity Jane
Thanks for your advice so far, I have followed the first few steps. Removed the erotica thing (honestly denying all knowledge :( ). Checked on task manager, but none of the processes you highlighted were showing as running. Below is the report from the panda scan. Wow, though I deleted the emails mentioned without opening them. Onwards to the next steps
Incident Status Location
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Your document\corrected.zip[data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: patched\message.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Mail Delivery (failure michael@meridian-fs.co.uk)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\application\application_michael.doc.pif
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\svshost.exe
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\svshost.exe
Virus:W32/Randon.AP.worm Disinfected C:\WINNT\system32\config\sec.bat
Virus:W32/Randon.AP.worm No disinfected C:\WINNT\system32\config\Windows-KB823980-x86-ENU.exe[sec.bat]
Virus:Bck/Sdbot.QG Disinfected C:\WINNT\system32\win32.dat
Thanks for your advice so far, I have followed the first few steps. Removed the erotica thing (honestly denying all knowledge :( ). Checked on task manager, but none of the processes you highlighted were showing as running. Below is the report from the panda scan. Wow, though I deleted the emails mentioned without opening them. Onwards to the next steps
Incident Status Location
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Your document\corrected.zip[data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: patched\message.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Mail Delivery (failure michael@meridian-fs.co.uk)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\application\application_michael.doc.pif
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\svshost.exe
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\svshost.exe
Virus:W32/Randon.AP.worm Disinfected C:\WINNT\system32\config\sec.bat
Virus:W32/Randon.AP.worm No disinfected C:\WINNT\system32\config\Windows-KB823980-x86-ENU.exe[sec.bat]
Virus:Bck/Sdbot.QG Disinfected C:\WINNT\system32\win32.dat
Hello again Jane
Have followed all the steps you gave and this is the latest Hijack this report
Logfile of HijackThis v1.97.7
Scan saved at 13:16:23, on 21/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\srvany.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C02095A-CF5C-427F-8957-0E65EFD66203} - C:\WINNT\system32\akhikye.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
O4 - HKCU\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adviser Office Taskbar.lnk = First\1stdir32\Program\Taskbar.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4D26F531-49A6-11D8-8159-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_03/install.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {57684CE6-FA5A-11D7-812A-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_01/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.1849884259
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AC99A6A7-7E76-11D8-8187-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_05/install.cab
O16 - DPF: {C943AF13-6207-11D8-816E-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_04/install.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/vip_236/w...OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = meridian.local
Have followed all the steps you gave and this is the latest Hijack this report
Logfile of HijackThis v1.97.7
Scan saved at 13:16:23, on 21/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\srvany.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C02095A-CF5C-427F-8957-0E65EFD66203} - C:\WINNT\system32\akhikye.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
O4 - HKCU\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adviser Office Taskbar.lnk = First\1stdir32\Program\Taskbar.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4D26F531-49A6-11D8-8159-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_03/install.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {57684CE6-FA5A-11D7-812A-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_01/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.1849884259
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AC99A6A7-7E76-11D8-8187-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_05/install.cab
O16 - DPF: {C943AF13-6207-11D8-816E-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_04/install.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/vip_236/w...OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meridian.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = meridian.local
When you did in fact let Panda and HouseCall scan your laptop...did you set it then to CLEAN that laptop..or just scan it..???
http://www.sophos.com/virusinfo/analyses/w32agobotaa.html
http://www.sophos.com/virusinfo/analyses/w32agobotaa.html
QUOTE (michaeldcurran @ Apr 20 2004, 09:34 AM)
In other words it helps if I re run the scan and post the new log after moving Hijack this to it's own folder :)
Logfile of HijackThis v1.97.7
Scan saved at 15:27:32, on 20/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Logfile of HijackThis v1.97.7
Scan saved at 15:27:32, on 20/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Actually the link Olja gave to you required more than just moving the hijack this application...it gave giudle lines to posting in this forum..so my question to you is the following based upon what i still see in that last hijack log you now posted.
1. Did that Adware you download..installed..updated and the the ran..clean anything off that laptop? If so do you remember what ?
2. Also the same question for Sypbot S and D ?
Suggestion for your Adaware ..set it up like this and then run it again.
*************************************
Try this using your Adaware
2. Go to Start > Programs > Lavasoft and click on AdAware 6 to open the program
3. Look at the icons on the top right of the page and click on the ‘world’ and let AdAware update the spyware reference list
4. Once the update is finished click on the ‘Gear’ icon (second from the left) to access the preferences/settings window
1. In the ‘General’ window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
2. Click on the ‘Scanning’ button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under ‘Click here to select drives + folders’, choose:
· All of your hard drives
3. Click on the ‘Advanced’ button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
· Include additional object details
4. Click the ‘Tweak’ button and select:
· Under the ‘Scanning Engine’:
· Unload recognized processes during scanning
· Include basic Ad-aware settings in logfile
· Include additional Ad-aware settings in logfile
· Under the ‘Cleaning Engine’:
· Let Windows remove files in use at next reboot
5. Click on ‘Proceed’ to save the settings.
6. Click ‘Start’ and on the next screen choose ‘Activate in-depth Scan’ at the bottom of the page and then choose:
· Use Custom Scanning Options
7. Click ‘Next’ and AdAware will scan your hard drive(s) with the options you have selected.
8. Save the log file when it asks and then click ‘finish’
9. REBOOT
*******************************
:thumb:
Hi Hunter
You will be glad to know that I did set up Adaware as suggested and that I kept a copy of the log giving details of the items discovered and quarantined/deleted (copy of log attached due to length but if you would prefer me to post it I will do so). Have made changes to 'advances' tab on settings as you asked and will post that log when it is available.
As you will see from the panda report I have pasted below, there were 10 viruses detected but it could only delete 9.
Hope this helps you a little, but if there is something I have misunderstood, please let me know :thumb:
Incident Status Location
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Your document\corrected.zip[data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: patched\message.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Mail Delivery (failure michael@meridian-fs.co.uk)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\application\application_michael.doc.pif
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\svshost.exe
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\svshost.exe
Virus:W32/Randon.AP.worm Disinfected C:\WINNT\system32\config\sec.bat
Virus:W32/Randon.AP.worm No disinfected C:\WINNT\system32\config\Windows-KB823980-x86-ENU.exe[sec.bat]
Virus:Bck/Sdbot.QG Disinfected C:\WINNT\system32\win32.dat
You will be glad to know that I did set up Adaware as suggested and that I kept a copy of the log giving details of the items discovered and quarantined/deleted (copy of log attached due to length but if you would prefer me to post it I will do so). Have made changes to 'advances' tab on settings as you asked and will post that log when it is available.
As you will see from the panda report I have pasted below, there were 10 viruses detected but it could only delete 9.
Hope this helps you a little, but if there is something I have misunderstood, please let me know :thumb:
Incident Status Location
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Your document\corrected.zip[data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: patched\message.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Mail Delivery (failure michael@meridian-fs.co.uk)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\application\application_michael.doc.pif
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\copy\svshost.exe
Virus:Trj/Delshare.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\nobios.bat
Virus:Bck/Iroffer.E Disinfected C:\WINNT\CSC\d5\Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}\svshost.exe
Virus:W32/Randon.AP.worm Disinfected C:\WINNT\system32\config\sec.bat
Virus:W32/Randon.AP.worm No disinfected C:\WINNT\system32\config\Windows-KB823980-x86-ENU.exe[sec.bat]
Virus:Bck/Sdbot.QG Disinfected C:\WINNT\system32\win32.dat
Thanks Michael..that was a big help..we are keeping track of what can be cleaned in various ways and since you were nice enough to try Panda and Housecall besides what we can do for you here..I was making sure we understood the capabilities of the methods you used..and the results.
:thumb:
:thumb:
This PC has a lot of problems and HijackThis is not the tool to fix all of them. I can see indications of infections but it certainly wasn't made for and won't remove everything like a current uptodate AV or Antitrojan program would
But even then, Ooof! So many backdoor trojans :o I would not trust that PC to be safe even after cleaning if it were mine.
And you do have this r_server running which is a remote adminstration tool - may have been installed without your knowledge.
You can try following the manual removal instructions here:
Follow the manual removal instructions
http://www.pestpatrol.com/pestinfo/g/ghost_radmin.asp
You have Spyware Nuker installed and it is a ripoff antispyware program plus it is classified as Adware by Symantec which detects it as well (Adaware did detect it - may have removed it if you did do that)
http://www.safer-networking.org/index.php?...tail=2003-02-12
http://sarc.com/avcenter/venc/data/adware.spywarenuker.html
If you did not intentionally install it, uninstall the MyWay Speed Bar using Add/Remove Programs in the Control Panel
MessengerPlus is another program you should uninstall. It comes bundled with the LOP hijacker/parasite and there are other alternatives like Trillian or just plain old Messenger that do not.
You can tick off these items in HijackThis and press the *fix checked* button - but I think that is only the tip of the iceberg
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
Reboot your PC into safe mode and search for each of those .exe files in the list above and delete any found.
In the 016 items (Downloaded Program files) I see many entries with this IP 195.10.116.33 which does not seem to be valid - do you know what those program are? You will see several at the end of your log.
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
Did you reboot your PC after cleaning at Panda and scan again to see if any more items were found. Anything that cannot be cleaned or repaired should be deleted.
I would also advise you to uninstall and reinstall your Norton AV - then get the most current update with it and scan your PC as there may be pieces of all those infections still on your computer. It must be damaged, obsolete or not updated to not be detecting those trojans that Panda found.
But, as I said in the first part of this reply - I think in this case you are safer to save any files you want to keep and reformat and reinstall your operating system.
But even then, Ooof! So many backdoor trojans :o I would not trust that PC to be safe even after cleaning if it were mine.
And you do have this r_server running which is a remote adminstration tool - may have been installed without your knowledge.
You can try following the manual removal instructions here:
Follow the manual removal instructions
http://www.pestpatrol.com/pestinfo/g/ghost_radmin.asp
You have Spyware Nuker installed and it is a ripoff antispyware program plus it is classified as Adware by Symantec which detects it as well (Adaware did detect it - may have removed it if you did do that)
http://www.safer-networking.org/index.php?...tail=2003-02-12
http://sarc.com/avcenter/venc/data/adware.spywarenuker.html
If you did not intentionally install it, uninstall the MyWay Speed Bar using Add/Remove Programs in the Control Panel
MessengerPlus is another program you should uninstall. It comes bundled with the LOP hijacker/parasite and there are other alternatives like Trillian or just plain old Messenger that do not.
You can tick off these items in HijackThis and press the *fix checked* button - but I think that is only the tip of the iceberg
O4 - HKLM\..\Run: [Configurations Loader] atask.exe
O4 - HKLM\..\Run: [Microsoft Time] Time.exe
O4 - HKLM\..\Run: [RandomWin32] rand32.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall Settings Loader] conf32.exe
O4 - HKLM\..\RunServices: [Microsoft Time] Time.exe
O4 - HKLM\..\RunServices: [RandomWin32] rand32.exe
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\Ipconfig32.exe
Reboot your PC into safe mode and search for each of those .exe files in the list above and delete any found.
In the 016 items (Downloaded Program files) I see many entries with this IP 195.10.116.33 which does not seem to be valid - do you know what those program are? You will see several at the end of your log.
O16 - DPF: {2AF846C6-19B8-11D8-8139-400009907187} - http://195.10.116.33/scotprov/download/sa/v5_02/install.cab
Did you reboot your PC after cleaning at Panda and scan again to see if any more items were found. Anything that cannot be cleaned or repaired should be deleted.
I would also advise you to uninstall and reinstall your Norton AV - then get the most current update with it and scan your PC as there may be pieces of all those infections still on your computer. It must be damaged, obsolete or not updated to not be detecting those trojans that Panda found.
But, as I said in the first part of this reply - I think in this case you are safer to save any files you want to keep and reformat and reinstall your operating system.
If i might ask..what is the primary purpose and function that you use this Platform:
Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
on the internet..
and is it your only PC or do you have a network and then if so.....what is your hardware configuration ?
Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
on the internet..
and is it your only PC or do you have a network and then if so.....what is your hardware configuration ?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.