Help - Search - Members - Calendar
Full Version: AID_SEARCHAID.A ???
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
bealer
May 30 2005, 04:54 PM
Trend Micro's PC-cillin has identified this virus as being on my machine, but seems to be ineffective in removing it. I have also run Spybot, Adaware, and AVG in both normal and Safe Modes. The symptoms keep re-appearing. It erases my default browser home page and brings up a pop-up spyware ad every time that I activate the browser. AVG running in the background has reported multiple instances of contaminated files including mfcjj.exe, iptw.exe, appuz.exe, d3zo.exe, and winfz32.exe. I use DiamondCSRegistryProt to notify me when any entry attempt is made to the registry. There have been registry attempts for apide32.exe, d3kf32.exe, and many many attempts to register ntag.exe I have no idea what these registry attempts are, so I've denied them all.

Below is the log file for Hijack This.

Any help would be GREATLY appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 11:28:45 AM, on 5/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
C:\regprot\regprot.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\YourSiteUp Pro\yoursiteup.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\tbctray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\RFA\rfagent.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\MSWord97\Office\OSA.EXE
C:\Omega Research\Program\orschd.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\ntag.exe
C:\Junk\Virus Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common

Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = f:\! Marys C

Backup\Netscape\Communicator\Program\NetHelp\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {F76388F4-6EAB-E7FB-C25E-6733C8D60FED} - C:\WINNT\system32\mswk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [YourSiteUp] "C:\Program Files\YourSiteUp Pro\yoursiteup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security

2005\pccguide.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Omega Research Task Scheduler.lnk = C:\Omega Research\Program\orschd.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =

C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\MSWord97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSWord97\Office\OSA.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\Netants\NAGet.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~2\NTXcontext.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\Netants\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} -

C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} -

C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} -

C:\PROGRA~1\NEOTRA~2\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -

http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control

version 3) - https://liverep.esignal.com/netagent/objects/custappx3.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -

https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/04dddf6353279a...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) -

https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} -

http://prod1.centra.com/SiteRoots/main/Ins...aDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_04) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://esignaltraining.webex.com/client/la...ent/ieatgpc.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) -

http://www.paltalk.com/prod/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer =

66.133.191.35,170.215.255.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer =

66.133.191.35,170.215.255.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer =

66.133.191.35,170.215.255.114
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia

Keyboard\nhksrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe"

-service (file missing)
Mosaic1
May 30 2005, 08:26 PM
Disable RegProt so it doesn't interfere with our repairs.

You'll also need to download and install some tools.


You will be restarting into Safe mode later.
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgen...001052409420406
--------
Download CWShredder from this page:
http://www.intermute.com/spysubtract/cwshr...r_download.html
Don't run it yet.
--------
Download AboutBuster created by Rubber Ducky.

http://www.downloads.subratam.org/AboutBuster.zip

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit". We don't want you to run it yet. Only get the updates so it is ready to run later in safe mode.
-----------------------------------------

Download the latest version of Ad-Aware
http://www.lavasoftusa.com/support/download/

After installing AAW, and before running the program, you NEED to FIRST update it:
Launch Ad-Aware, and click "Check for Updates" above the start button; you'll be prompted to download and install the latest Reference File.

You must also download, and install the VX2 plugin for Ad-Aware: http://www.lavasoft.de/software/addons/vx2cleaner.shtml

Do all of this and then exit. We will have you scan later.
------------------------------------------------------------


Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
----------

It is very important that you follow all instructions, especially updating the programs you have been asked to install.

----------------



Run hijackthis again and this time please do not do any editing. Your log is very hard to read. It appears you may have edited before you posted. Thanks.
bealer
May 30 2005, 09:09 PM
I've done as you requested, although none of the downloaded software has been run yet. Below is the new log. I haven't edited anything in there. Just a simple copy and paste from Notepad. Your help is appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 4:03:34 PM, on 5/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\YourSiteUp Pro\yoursiteup.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\tbctray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\RFA\rfagent.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\MSWord97\Office\OSA.EXE
C:\Omega Research\Program\orschd.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\ntag.exe
C:\WINNT\system32\d3kf32.exe
C:\Junk\Virus Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = f:\! Marys C Backup\Netscape\Communicator\Program\NetHelp\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {F76388F4-6EAB-E7FB-C25E-6733C8D60FED} - C:\WINNT\system32\mswk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [YourSiteUp] "C:\Program Files\YourSiteUp Pro\yoursiteup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKLM\..\Run: [ntag.exe] C:\WINNT\ntag.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Omega Research Task Scheduler.lnk = C:\Omega Research\Program\orschd.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\MSWord97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSWord97\Office\OSA.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\Netants\NAGet.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~2\NTXcontext.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\Netants\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~2\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://liverep.esignal.com/netagent/objects/custappx3.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04dddf6353279a...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://prod1.centra.com/SiteRoots/main/Ins...aDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_04) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/la...ent/ieatgpc.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
Mosaic1
May 30 2005, 10:37 PM
Go to Start >Run and type
Services.msc
Press enter.

When the Services Console opens, scroll down the list and find this entry:
Workstation NetLogon Service

Double click on Workstation NetLogon Service to bring up the properties page.
Stop the service and set it to disabled. Apply and close the services console.
----------------------------------------------

Restart into Safe mode.

Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zkrma.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = f:\! Marys C Backup\Netscape\Communicator\Program\NetHelp\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F76388F4-6EAB-E7FB-C25E-6733C8D60FED} - C:\WINNT\system32\mswk.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntag.exe] C:\WINNT\ntag.exe
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
4 - Global Startup: Microsoft Find Fast.lnk = C:\MSWord97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSWord97\Office\OSA.EXE
O15 - Trusted Zone: http://linktrader.cyberspacehq.com

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04dddf6353279a...ip/RdxIE601.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - - (no file)


Delete these files if they still exist:

C:\WINNT\ntag.exe
C:\WINNT\system32\d3kf32.exe
C:\WINNT\system32\zkrma.dll
C:\WINNT\system32\mswk.dll
--------


Run About:Buster



Run CWshredder and press the fix button to clean.

Run Ad-Aware and allow it to clean.



--------------------




Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.


Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
-------------------



Restart into Regular Windows.


---------------

Go to this link and run the free AV scan to clean up the residual files:

http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------


If you were using a Hosts File it was deleted.

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.

http://www.funkytoad.com/download/hoster.zip

--------
control.exe may have been deleted. If you go to start >Run and type control.exe and press enter, control panel should open. If it doesn't you need a new copy of control.exe/

Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----

Check System32 to be sure you have a file named Shell.dll

If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.

------

Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html


Run HijackThis again and post the new log in your next reply in this same topic.

Post the log which about:Buster created as well.
bealer
May 31 2005, 02:51 PM
I have done all as requested. I am no longer seeing the symptoms, so I assume that it is fixed, but please take a look at the HijackThis and AboutBuster logs below and verify. Your help is greatly appreciated!


Logfile of HijackThis v1.99.1
Scan saved at 9:46:18 AM, on 5/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\regprot\regprot.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\YourSiteUp Pro\yoursiteup.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\tbctray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\RFA\rfagent.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\MSWord97\Office\OSA.EXE
C:\WINNT\System32\svchost.exe
C:\Omega Research\Program\orschd.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Junk\Virus Stuff\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Netscape/Users/support/bookmark.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = f:\! Marys C Backup\Netscape\Communicator\Program\NetHelp\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [YourSiteUp] "C:\Program Files\YourSiteUp Pro\yoursiteup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Omega Research Task Scheduler.lnk = C:\Omega Research\Program\orschd.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\MSWord97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSWord97\Office\OSA.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\Netants\NAGet.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~2\NTXcontext.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\Netants\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~2\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://liverep.esignal.com/netagent/objects/custappx3.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04dddf6353279a...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://prod1.centra.com/SiteRoots/main/Ins...aDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_04) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/la...ent/ieatgpc.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scanned at: 7:48:02 AM on: 5/29/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINNT\CLOCK.AVI:sqztc


Removed! : C:\WINNT\system32\dkikz.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINNT\CLOCK.AVI:sqztc


Attempted Clean Of Temp folder.
Pages Reset... Done!
Mosaic1
May 31 2005, 03:02 PM
You're welcome. That does look good! At some point did you have Trend Micro installed? You have 3 entries for it in your services.

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


This should be fixed:
R3 - Default URLSearchHook is missing

These Office Entries, especially the FindFst are Memory hogs. I never ran findfast for Office when I used it.

O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\MSWord97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSWord97\Office\OSA.EXE

-----------
bealer
May 31 2005, 04:01 PM
Yes, I had installed the 30 day trial of Trend Micro's PC-cillin to try to identify the current problem, but it didn't help. I've un-installed it, as well as made your suggested HijackThis changes. The new log is below:


Logfile of HijackThis v1.99.1
Scan saved at 10:58:19 AM, on 5/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\regprot\regprot.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\YourSiteUp Pro\yoursiteup.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\tbctray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\RFA\rfagent.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Junk\Virus Stuff\hijackthis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Netscape/Users/support/bookmark.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = f:\! Marys C Backup\Netscape\Communicator\Program\NetHelp\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [YourSiteUp] "C:\Program Files\YourSiteUp Pro\yoursiteup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\Netants\NAGet.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~2\NTXcontext.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\Netants\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\Netants\NetAnts.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~2\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://liverep.esignal.com/netagent/objects/custappx3.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04dddf6353279a...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://prod1.centra.com/SiteRoots/main/Ins...aDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_04) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/la...ent/ieatgpc.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{6080773B-4DB2-47C9-BA39-70A8F3389501}: NameServer = 66.133.191.35,170.215.255.114
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - f:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
Mosaic1
May 31 2005, 10:18 PM
That looks good. If everything is running well, I'd say you are clean.

You look to be security consciousm but here is my standard parting advice.

Here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.