Help - Search - Members - Calendar
Full Version: Please Help!
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
jclifton1
Aug 31 2005, 10:21 PM
This is a computer I'm using to work on, out of my home. It has a parts program I use to make my living. I am currently not able to access the program. I have a bunch of new icons on my screen including play bingo, free money, vote on war, 50 cent, etc, there are more. Everytime my computer boots up I get a bunch of errors, that cover the screen along with Dr Watson's errors. Can someone please help? Thank you so much, in advance!

Logfile of HijackThis v1.99.1
Scan saved at 10:07:55 AM, on 8/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
D:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enterthesearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nexpart.com/login.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enterthesearch.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\system32\pkshhgep.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\system32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\system32\opr.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\ll4lxp.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [nd97cihk] C:\WINNT\system32\nd97cihk.exe
O4 - HKLM\..\Run: [amhjrcs] C:\WINNT\system32\liia\amhjrcs.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\ll4lxp.exe reg_run
O4 - HKLM\..\Run: [fmlgsebv] C:\WINNT\system32\iyxp\fmlgsebv.exe
O4 - HKLM\..\Run: [dwprqf] C:\WINNT\system32\jvxoiumx\dwprqf.exe
O4 - HKLM\..\Run: [rcdkdml] C:\WINNT\system32\nvsflprc\rcdkdml.exe
O4 - HKLM\..\Run: [ffyaaicb] C:\WINNT\system32\yforign\ffyaaicb.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [jikdic] C:\WINNT\system32\jikdic.exe
O4 - HKLM\..\RunServices: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [pshower] C:\WINNT\system32\pshwr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\InetGet\stubinstaller6002.exe"
O4 - HKCU\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VBouncer.exe
O4 - HKCU\..\RunServices: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\flash_v7.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/203e1f28209894...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/website.ocx
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camiwe.brett-robinson.com/activex/AxisCamControl.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/g...GameManager.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Applets - C:\WINNT\system32\HUICONS.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: fmlgsebviyxp - Unknown owner - C:\WINNT\system32\iyxp\fmlgsebv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
LoPhatPhuud
Sep 1 2005, 12:10 AM
It is a wonder that your computer is even functional! BUt I am more surprised that a computer used for business has no AV, no firewall, no Anti Spyware program. Basically a naked computer, hooked to the internet, hollering "Infect Me"!!!

My standard suggestion for computers as hevily infected as yours is to reformat, re-install and protect before you connect. Whatever the outcome, backup your data.

We can try to recover, but be forewarned, if it looks to be losing battle, I am going stop trying to clean and ask that you reformat and reinstall. Even if we are successful in removing the garbage, there is no guarantee that your system will be stable enough to run correctly. Also, there is no guarantee that the data you want will be accessible.

If you still want to proceed. Then Ewido will be the first step. It should get rid of a lot of this. Then post a new HiJAckTHis in normal mode, and finally I need a list of startup items. Here are the instructions...

First:

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
    [
  • If Ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Copy the report and post it in this thread.


Second:
Run HiJackTHis again, in Normal Mode, and post a new log in this thread,


Third:
Download 'Autoruns' from here:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in this thread.
LoPhatPhuud
Sep 1 2005, 12:13 AM
Question:

DId you intall WinVNC on your computer??

I ask since it allows remote access to your computer.
jclifton1
Sep 1 2005, 06:49 PM
yes, the place that installed my network uses it sometimes. it is ok. I did what you said and here is my new hijack this log. Btw, it is running much better, but I'm still getting alot of pop ups.

Logfile of HijackThis v1.99.1
Scan saved at 1:42:39 PM, on 9/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\iyxp\fmlgsebv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\svcproc.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ukkknoa.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\opr.exe
C:\WINNT\system32\liia\amhjrcs.exe
C:\WINNT\system32\jvxoiumx\dwprqf.exe
C:\WINNT\system32\nvsflprc\rcdkdml.exe
C:\WINNT\system32\yforign\ffyaaicb.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system\okxqd.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [opr] C:\WINNT\system32\opr.exe
O4 - HKLM\..\Run: [amhjrcs] C:\WINNT\system32\liia\amhjrcs.exe
O4 - HKLM\..\Run: [fmlgsebv] C:\WINNT\system32\iyxp\fmlgsebv.exe
O4 - HKLM\..\Run: [dwprqf] C:\WINNT\system32\jvxoiumx\dwprqf.exe
O4 - HKLM\..\Run: [rcdkdml] C:\WINNT\system32\nvsflprc\rcdkdml.exe
O4 - HKLM\..\Run: [ffyaaicb] C:\WINNT\system32\yforign\ffyaaicb.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\RunServices: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKCU\..\RunServices: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\flash_v7.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/203e1f28209894...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\dnmsgnet.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fmlgsebviyxp - Unknown owner - C:\WINNT\system32\iyxp\fmlgsebv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
LoPhatPhuud
Sep 2 2005, 02:24 AM
First:
From the Desktop
Start -> run -> services.msc

In the pane on the right, scroll down and look for the following services:
Command Service (cmdService)
fmlgsebviyxp
System Startup Service (SvcProc)

For each one:
Under Service Status, if running, press the 'Stop' button
Under Service Type, use the pulldown menu and change to 'Disabled'

WHen all three are done, exit.


Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

O4 - HKLM\..\Run: [opr] C:\WINNT\system32\opr.exe
O4 - HKLM\..\Run: [amhjrcs] C:\WINNT\system32\liia\amhjrcs.exe
O4 - HKLM\..\Run: [fmlgsebv] C:\WINNT\system32\iyxp\fmlgsebv.exe
O4 - HKLM\..\Run: [dwprqf] C:\WINNT\system32\jvxoiumx\dwprqf.exe
O4 - HKLM\..\Run: [rcdkdml] C:\WINNT\system32\nvsflprc\rcdkdml.exe
O4 - HKLM\..\Run: [ffyaaicb] C:\WINNT\system32\yforign\ffyaaicb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\RunServices: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe
O4 - HKCU\..\RunServices: [Spoolsvc] C:\WINNT\system32\spoolsvc.exe

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\flash_v7.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/203e1f28209894...ip/RdxIE601.cab

O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\dnmsgnet.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: fmlgsebviyxp - Unknown owner - C:\WINNT\system32\iyxp\fmlgsebv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Close all windows except HijackThis and click Fix checked.


While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\WINNT\system32\opr.exe
C:\WINNT\system32\liia\ <--delete entire folder
C:\WINNT\system32\iyxp\ <--delete entire folder
C:\WINNT\system32\jvxoiumx\ <--delete entire folder
C:\WINNT\system32\nvsflprc\ <--delete entire folder
C:\WINNT\system32\yforign\ <--delete entire folder
C:\Program Files\SurfSideKick 3\ <--delete entire folder
C:\WINNT\system32\spoolsvc.exe
C:\WINNT\VCMnet11.exe
C:\Program Files\winCMAPP\ <--delete entire folder
repairs.dll
C:\WINNT\system32\dnmsgnet.dll
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\ <--delete entire folder
C:\WINNT\system32\iyxp\ <--delete entire folder
C:\WINNT\svcproc.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Third
Download 'Autoruns' from here:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in this thread.


Last:
You need to rethink the Win VNC issue. My advice is to remove it, or at least disable it until needed. This is your business computer and you almost lost it this time. For all I know, you may still. It is a risk you cannot live with. If they absolutely must have access, then turn on only when needed.

My suggestion is to learn the network steps yourself, then remove WinVNC entirely.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.