Jump to content

vundo fun for me too

wolraht

By wolraht
in Resolved Malware Removal Logs

 Share

Recommended Posts

wolraht

wolraht

Posted
Posted

hello all,

i started out over in the main forum adn now i am posting my first log here.

Malwarebytes' Anti-Malware 1.31

Database version: 1535

Windows 5.1.2600 Service Pack 2

12/23/2008 7:45:32 AM

mbam-log-2008-12-23 (07-45-32).txt

Scan type: Quick Scan

Objects scanned: 72280

Time elapsed: 40 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 14

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjdskcu (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrhhevv -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhhevv -> Delete on reboot.

Folders Infected:

C:\Documents and Settings\du402c\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\VvEhhRqr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\VvEhhRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Local Settings\Temporary Internet Files\Content.IE5\90DH1N9T\CAN1FQWD (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I will run the panda scan next and get that posted.

Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted (edited)

here are the results from my panda scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-23 10:26:33

PROTECTIONS: 1

MALWARE: 19

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Enterprise 8.5.0.781 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.trafficmp.com/]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.doubleclick.net/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.atdmt.com/]

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.247realmedia.com/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.fastclick.net/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.fastclick.net/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.fastclick.net/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.fastclick.net/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.tribalfusion.com/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.tribalfusion.com/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.tribalfusion.com/]

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.mediaplex.com/]

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.linksynergy.com/]

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.linksynergy.com/]

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.linksynergy.com/]

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.linksynergy.com/]

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Cookies\du402c@com[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[ad.yieldmanager.com/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.apmebf.com/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.apmebf.com/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Cookies\du402c@apmebf[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.burstnet.com/]

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.burstnet.com/]

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Cookies\du402c@statse.webtrendslive[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.ads.pointroll.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.realmedia.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.questionmarket.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.questionmarket.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.zedo.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Firefox\Profiles\dujvvd5a.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\du402c\Application Data\Mozilla\Profiles\companyx_Default_User\syxt1yre.slt\cookies.txt[.go.com/]

04384357 Adware/VirusRemover2008 Adware No 0 Yes No C:\Documents and Settings\du402c\Local Settings\Temporary Internet Files\Content.IE5\O9EZSHQV\winsinstall[1].exe

04384357 Adware/VirusRemover2008 Adware No 0 Yes No C:\Documents and Settings\du402c\Local Settings\Temp\winsinstall.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

182048 HIGH MS07-069

176382 HIGH MS07-057

170906 HIGH MS07-045

170904 HIGH MS07-043

164913 HIGH MS07-033

160623 HIGH MS07-027

150253 HIGH MS07-016

141030 HIGH MS06-072

137568 HIGH MS06-067

126083 HIGH MS06-042

120814 HIGH MS06-021

114664 HIGH MS06-013

;===============================================================================

================================================================================

=

===================

I will run hijack this next

Edited by AdvancedSetup
Sanitized data
Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted (edited)

here is the hijack this log

it ran really quick so i hope i ran the right thing

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:32:08 AM, on 12/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\Connected\AgentSrv.EXE

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\WINDOWS\system32\DWRCS.exe

C:\appl\Rational\ClearCase\bin\lockmgr.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\PJS\pjssrvc.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

c:\windows\system32\rcmdsvc.exe

C:\WINDOWS\system32\sgrmsrvn.exe

C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe

C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe

C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe

C:\WINDOWS\system32\StacSV.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\vnxserv.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

C:\WINDOWS\system32\xElevate_dbd8.exe

C:\WINDOWS\system32\cccredmgr.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\win32xev.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\system32\DWRCST.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SGRMCTRL.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Microsoft Office Communicator\Communicator.exe

C:\Program Files\Connected\CBSysTray.exe

C:\Program Files\ISS\Proventia Desktop\blackice.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.altavista.com

O15 - Trusted Zone: http://*.euroseek.com

O15 - Trusted Zone: http://*.excite.com

O15 - Trusted Zone: http://*.msn.com

O15 - Trusted Zone: http://*.overture.com

O15 - Trusted Zone: http://*.sonic.com

O15 - Trusted Zone: http://*.verizonbusiness.com

O15 - Trusted Zone: http://*.webex.com

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mw.nos.companyx.com

O17 - HKLM\Software\..\Telephony: DomainName = mw.nos.companyx.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mw.nos.companyx.com

O20 - Winlogon Notify: ccnotify - C:\WINDOWS\SYSTEM32\ccnotify.dll

O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

O20 - Winlogon Notify: goremote - C:\Program Files\iPass\Mobile Office 6\6.2.3.7\CBL\GoRemoteCBL.dll

O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll

O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll

O20 - Winlogon Notify: sgrmnot - C:\WINDOWS\SYSTEM32\sgrmnotn.dll

O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE

O23 - Service: Atria Location Broker (Albd) - IBM Corporation - C:\appl\Rational\ClearCase\bin\albd_server.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe

O23 - Service: Rational Cred Manager (cccredmgr) - IBM Corporation - C:\WINDOWS\system32\cccredmgr.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: Group Policy Agent (GPSCRIPT) - The companyx Company - C:\WINDOWS\System32\gpscript.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\Mobile Office 6\6.2.3.7\Bin\iPassPeriodicUpdateApp.exe

O23 - Service: LAR Win32xev (LarWin32xev) - Unknown owner - C:\WINDOWS\system32\win32xev.exe

O23 - Service: IBM Rational Lock Manager (LockMgr) - IBM Corporation - C:\appl\Rational\ClearCase\bin\lockmgr.exe

O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\appl\Rational\ClearQuest\mailservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Print Utility (PrintUtility) - The companyx Company - C:\PROGRA~1\PJS\pjssrvc.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe

O23 - Service: SafeGuard

Edited by AdvancedSetup
Sanitized data
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please note the Holidays are approaching and I may be unavailable for a couple days.

Please be patient, I've not forgotten you and will resume assistance when I return

STEP 01

Start HJT and do a Scan only and place a check mark on the following items

  • O15 - Trusted Zone: h
    tt
    p://www.companyxcashawards.com

  • O15 - Trusted Zone: h
    tt
    p://www.companyxservice.com

  • O15 - Trusted Zone: h
    tt
    p://www.companyxtravel.com

  • O15 - Trusted Zone: h
    tt
    p://www.pridecompanyx.com

  • O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mw.nos.companyx.com

  • O17 - HKLM\Software\..\Telephony: DomainName = mw.nos.companyx.com

  • O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mw.nos.companyx.com

  • O20 - Winlogon Notify: ccnotify - C:\WINDOWS\SYSTEM32\ccnotify.dll

  • O20 - Winlogon Notify: sgrmnot - C:\WINDOWS\SYSTEM32\sgrmnotn.dll

    Then click on
    Fix checked

STEP 02

Please upload the following files for review
here

  • C:\WINDOWS\SYSTEM32\ccnotify.dll

  • C:\Program Files\iPass\Mobile Office 6\6.2.3.7\CBL\GoRemoteCBL.dll

  • C:\WINDOWS\SYSTEM32\sgrmnotn.dll


    STEP 03

      Download and install
      CCleaner
    • CCleaner


    • Double-click on the downloaded file "ccsetup215.exe" and install the application.

    • Keep the default installation folder "C:\Program Files\CCleaner"

    • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

    • Click finish when done and close
      ALL PROGRAMS

    • Start the
      CCleaner
      program.

    • Click on
      Registry
      and
      Uncheck
      Registry Integrity so that it does not run

    • Click on
      Options
      -
      Advanced
      and
      Uncheck
      "Only delete files in Windows Temp folders older than 48 hours"

    • Click back to
      Cleaner
      and click on the
      Run Cleaner
      button on the bottom right side of the program.

    • Click OK to any prompts


    STEP 04

    Please click on
    START - RUN
    and copy and paste the information below into the box and click
    OK

    CMD /C SC QUERY >C:\MYSERVICES.TXT | NOTEPAD C:\MYSERVICES.TXT

    This should open NOTEPAD with information regarding the current services on your system. Copy and paste back that information on your next reply.

    STEP 05

    Malwarebytes' Anti-Malware

    • Start MalwareBytes AntiMalware

      • Update Malwarebytes' Anti-Malware
      • Select the
        Update
        tab

      • Click
        Update

      [*]
      When the update is complete, select the
      Scanner
      tab

      [*]
      Select
      Perform quick scan
      , then click
      Scan
      .

      [*]
      When the scan is complete, click
      OK
      , then
      Show Results
      to view the results.

      [*]
      Be sure that everything is checked, and click
      Remove Selected
      .

      [*]
      When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
        mbam-log-date (time).txt

STEP 06

Post back the MYSERVICES log, MBAM log, and run a new HJT log and reply with it as well.
Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted

I uploaded the three files you requested and the MyServices.txt info is pasted in below. I have not done the other steps quite yet, just waiting for a response from my last question before I do.

thanks.

SERVICE_NAME: AgentSrv

DISPLAY_NAME: Connected Agent Service

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: AudioSrv

DISPLAY_NAME: Windows Audio

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: BlackICE

DISPLAY_NAME: BlackICE

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: cccredmgr

DISPLAY_NAME: Rational Cred Manager

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: CcmExec

DISPLAY_NAME: SMS Agent Host

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: CryptSvc

DISPLAY_NAME: Cryptographic Services

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: DcomLaunch

DISPLAY_NAME: DCOM Server Process Launcher

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Dhcp

DISPLAY_NAME: DHCP Client

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: dmserver

DISPLAY_NAME: Logical Disk Manager

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Dnscache

DISPLAY_NAME: DNS Client

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: DWMRCS

DISPLAY_NAME: DameWare Mini Remote Control

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: ERSvc

DISPLAY_NAME: Error Reporting Service

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Eventlog

DISPLAY_NAME: Event Log

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: EventSystem

DISPLAY_NAME: COM+ Event System

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: GPSCRIPT

DISPLAY_NAME: Group Policy Agent

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: helpsvc

DISPLAY_NAME: Help and Support

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: HidServ

DISPLAY_NAME: HID Input Service

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: lanmanserver

DISPLAY_NAME: Server

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: lanmanworkstation

DISPLAY_NAME: Workstation

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: LarWin32xev

DISPLAY_NAME: LAR Win32xev

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: LmHosts

DISPLAY_NAME: TCP/IP NetBIOS Helper

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: LockMgr

DISPLAY_NAME: IBM Rational Lock Manager

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: McAfeeFramework

DISPLAY_NAME: McAfee Framework Service

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: McShield

DISPLAY_NAME: McAfee McShield

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: McTaskManager

DISPLAY_NAME: McAfee Task Manager

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: MDM

DISPLAY_NAME: Machine Debug Manager

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: MSSQL$SQLEXPRESS

DISPLAY_NAME: SQL Server (SQLEXPRESS)

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Netlogon

DISPLAY_NAME: Net Logon

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Netman

DISPLAY_NAME: Network Connections

TYPE : 120 WIN32_SHARE_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: NICCONFIGSVC

DISPLAY_NAME: NICCONFIGSVC

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Nla

DISPLAY_NAME: Network Location Awareness (NLA)

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: NVSvc

DISPLAY_NAME: NVIDIA Display Driver Service

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: PlugPlay

DISPLAY_NAME: Plug and Play

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: PrintUtility

DISPLAY_NAME: Print Utility

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: ProtectedStorage

DISPLAY_NAME: Protected Storage

TYPE : 120 WIN32_SHARE_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: RapApp

DISPLAY_NAME: RapApp

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: RasMan

DISPLAY_NAME: Remote Access Connection Manager

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: RCMD

DISPLAY_NAME: RCMD

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: RemoteRegistry

DISPLAY_NAME: Remote Registry

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: rmsrvn

DISPLAY_NAME: SafeGuard® Removable Media Manager

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: RpcSs

DISPLAY_NAME: Remote Procedure Call (RPC)

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SamSs

DISPLAY_NAME: Security Accounts Manager

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SCardSvr

DISPLAY_NAME: Smart Card

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Schedule

DISPLAY_NAME: Task Scheduler

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: seclogon

DISPLAY_NAME: Secondary Logon

TYPE : 120 WIN32_SHARE_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SENS

DISPLAY_NAME: System Event Notification

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SgeClient

DISPLAY_NAME: SafeGuard Easy Client

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SgeCtl

DISPLAY_NAME: SafeGuard Easy Control

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: ShellHWDetection

DISPLAY_NAME: Shell Hardware Detection

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SMSWUagent

DISPLAY_NAME: SMSWUagent

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Spooler

DISPLAY_NAME: Print Spooler

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: SSDPSRV

DISPLAY_NAME: SSDP Discovery Service

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: STacSV

DISPLAY_NAME: SigmaTel Audio Service

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: TapiSrv

DISPLAY_NAME: Telephony

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: TermService

DISPLAY_NAME: Terminal Services

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: Themes

DISPLAY_NAME: Themes

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: TrkWks

DISPLAY_NAME: Distributed Link Tracking Client

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: UPHClean

DISPLAY_NAME: User Profile Hive Cleanup

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: VnxService

DISPLAY_NAME: Vsclient Service

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: VPatch

DISPLAY_NAME: ISS Buffer Overflow Exploit Prevention

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: W32Time

DISPLAY_NAME: Windows Time

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: WebClient

DISPLAY_NAME: WebClient

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: winmgmt

DISPLAY_NAME: Windows Management Instrumentation

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: WksCfgSrv

DISPLAY_NAME: SafeGuard Easy Workstation Server

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: wltrysvc

DISPLAY_NAME: Dell Wireless WLAN Tray Service

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: wuauserv

DISPLAY_NAME: Automatic Updates

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: xElevateService

DISPLAY_NAME: xElevate Service

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please note the Holidays are approaching and I may be unavailable for a couple days or more.

Please be patient, I've not forgotten you and will resume assistance when I return

just as a quick check before i do this, the files you are asking me to select in step one all look like they are legitimate files as part of my company loadout. can i ask why you think they need to be deleted\fixed according to hijack this?

I assume you mean these entries: www.companyxtravel.com

Well Google does not know them and they don't resolve to legit sites for me.

Internet lookup does not know it either so that makes it invalid.

No match for domain "COMPANYXTRAVEL.COM".

No match for mw.nos.companyx.com

So if those are legit entries then your company needs to get it fixed with their ISP because the rest of the Internet World does not know them.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well if this is legit then I'm taking your word for it because it sure doesn't look legit.

O23 - Service: xElevate Service (xElevateService) - The companyx Company - C:\WINDOWS\system32\xElevate_dbd8.exe

Are you still experiencing Malware related issues with the system?

Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted

ah, yeah, those sites are basically local to the company intranet. you cant get to them while outside the company firewall. Even on my company laptop i cant get to them from home unless i use a program to tunnel into the firewall and get on the company network.

I have not experienced any more symptoms since I ran through the malwarebytes program, no.

other than these few that you were concerned about, do the rest of the reports look clean to you?

thanks again.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please note the Holidays are approaching and I may be unavailable for a couple days or more.

Please be patient, I've not forgotten you and will resume assistance when I return

Well as long as you know about them that's fine. Thanks for letting me know about them.

Would suggest at least one more round of scans and logs to double check.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Restart the computer and after the restart run a new HJT scan and save log.

Post back both logs

Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted

MERRY CHRISTMAS!!!

here are the two logs you requested. The Hijack This log has been sanitized to remove my company name.

Malwarebytes' Anti-Malware 1.31

Database version: 1535

Windows 5.1.2600 Service Pack 2

12/25/2008 10:52:42 AM

mbam-log-2008-12-25 (10-52-42).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 681886

Time elapsed: 6 hour(s), 3 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:02:00 AM, on 12/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Connected\AgentSrv.EXE

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\WINDOWS\system32\DWRCS.exe

C:\WINDOWS\System32\gpscript.exe

C:\appl\Rational\ClearCase\bin\lockmgr.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\PJS\pjssrvc.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

c:\windows\system32\rcmdsvc.exe

C:\WINDOWS\system32\sgrmsrvn.exe

C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe

C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe

C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe

C:\WINDOWS\system32\StacSV.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\vnxserv.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

C:\WINDOWS\system32\xElevate_dbd8.exe

C:\WINDOWS\system32\cccredmgr.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\win32xev.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\system32\DWRCST.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\Help\Update.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\DHCPG32\dhcpg32.EXE

C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\sgrmctrl.exe

C:\Program Files\Microsoft Office Communicator\Communicator.exe

C:\Program Files\Connected\CBSysTray.exe

C:\Program Files\ISS\Proventia Desktop\blackice.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.altavista.com

O15 - Trusted Zone: http://*.euroseek.com

O15 - Trusted Zone: http://*.excite.com

O15 - Trusted Zone: http://*.msn.com

O15 - Trusted Zone: http://*.overture.com

O15 - Trusted Zone: http://*.sonic.com

O15 - Trusted Zone: http://*.verizonbusiness.com

O15 - Trusted Zone: http://*.webex.com

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mw.nos.boeing.com

O17 - HKLM\Software\..\Telephony: DomainName = mw.nos.boeing.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mw.nos.boeing.com

O20 - Winlogon Notify: ccnotify - C:\WINDOWS\SYSTEM32\ccnotify.dll

O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

O20 - Winlogon Notify: goremote - C:\Program Files\iPass\Mobile Office 6\6.2.3.7\CBL\GoRemoteCBL.dll

O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll

O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll

O20 - Winlogon Notify: sgrmnot - C:\WINDOWS\SYSTEM32\sgrmnotn.dll

O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE

O23 - Service: Atria Location Broker (Albd) - IBM Corporation - C:\appl\Rational\ClearCase\bin\albd_server.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe

O23 - Service: Rational Cred Manager (cccredmgr) - IBM Corporation - C:\WINDOWS\system32\cccredmgr.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: Group Policy Agent (GPSCRIPT) - The editedcompanyname Company - C:\WINDOWS\System32\gpscript.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\Mobile Office 6\6.2.3.7\Bin\iPassPeriodicUpdateApp.exe

O23 - Service: LAR Win32xev (LarWin32xev) - Unknown owner - C:\WINDOWS\system32\win32xev.exe

O23 - Service: IBM Rational Lock Manager (LockMgr) - IBM Corporation - C:\appl\Rational\ClearCase\bin\lockmgr.exe

O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\appl\Rational\ClearQuest\mailservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Print Utility (PrintUtility) - The editedcompanyname Company - C:\PROGRA~1\PJS\pjssrvc.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe

O23 - Service: SafeGuard® Removable Media Manager (rmsrvn) - Unknown owner - C:\WINDOWS\system32\sgrmsrvn.exe

O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe

O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe

O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe

O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINDOWS\system32\vnxserv.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

O23 - Service: xElevate Service (xElevateService) - The editedcompanyname Company - C:\WINDOWS\system32\xElevate_dbd8.exe

--

End of file - 12839 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well I tried to clean it up but it would not let me. I'll try again on Monday if I can.

I will be out of town until Monday, while I'm gone please run the following and I'll assist you further when I return.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then run this AntiVirus tool.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

When that is done run another MBAM and HJT scan and post back all the logs.

Thank you and I'll be back to help more on Monday.

Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted

sorry it took me so long to get back to this. i was out of town without my laptop.

again, the hijack this log has been sanitized to remove my company name

Dr.Web CureIt didnt find anything so it didnt generate a log file.

JavaRa Log:

JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Jan 02 08:29:35 2009

Found and removed: C:\Windows\System32\jpicpl32.cplFound and removed: C:\Windows\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142130}Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142130}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D411203Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D411203Found and removed: SOFTWARE\Classes\JavaPlugin.142_13Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_13Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_13Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_13Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01Found and removed: Software\JavaSoft\Java2D\1.6.0Found and removed: C:\Program Files\JavaSoft------------------------------------Finished reporting.

MBAM Log:

Malwarebytes' Anti-Malware 1.31

Database version: 1535

Windows 5.1.2600 Service Pack 2

1/2/2009 12:20:15 PM

mbam-log-2009-01-02 (12-20-15).txt

Scan type: Quick Scan

Objects scanned: 72448

Time elapsed: 24 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:20:52 PM, on 1/2/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Connected\AgentSrv.EXE

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\WINDOWS\system32\DWRCS.exe

C:\WINDOWS\System32\gpscript.exe

C:\appl\Rational\ClearCase\bin\lockmgr.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\PJS\pjssrvc.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

c:\windows\system32\rcmdsvc.exe

C:\WINDOWS\system32\sgrmsrvn.exe

C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe

C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe

C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe

C:\WINDOWS\system32\StacSV.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\vnxserv.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

C:\WINDOWS\system32\xElevate_dbd8.exe

C:\WINDOWS\system32\cccredmgr.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\win32xev.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\system32\DWRCST.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SGRMCTRL.EXE

C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\Help\Update.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Microsoft Office Communicator\Communicator.exe

C:\Program Files\Connected\CBSysTray.exe

C:\Program Files\ISS\Proventia Desktop\blackice.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.altavista.com

O15 - Trusted Zone: http://*.euroseek.com

O15 - Trusted Zone: http://*.excite.com

O15 - Trusted Zone: http://*.msn.com

O15 - Trusted Zone: http://*.overture.com

O15 - Trusted Zone: http://*.sonic.com

O15 - Trusted Zone: http://*.verizonbusiness.com

O15 - Trusted Zone: http://*.webex.com

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mw.nos.editedcomapnyname.com

O17 - HKLM\Software\..\Telephony: DomainName = mw.nos.editedcomapnyname.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mw.nos.editedcomapnyname.com

O20 - Winlogon Notify: ccnotify - C:\WINDOWS\SYSTEM32\ccnotify.dll

O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

O20 - Winlogon Notify: goremote - C:\Program Files\iPass\Mobile Office 6\6.2.3.7\CBL\GoRemoteCBL.dll

O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll

O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll

O20 - Winlogon Notify: sgrmnot - C:\WINDOWS\SYSTEM32\sgrmnotn.dll

O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE

O23 - Service: Atria Location Broker (Albd) - IBM Corporation - C:\appl\Rational\ClearCase\bin\albd_server.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe

O23 - Service: Rational Cred Manager (cccredmgr) - IBM Corporation - C:\WINDOWS\system32\cccredmgr.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: Group Policy Agent (GPSCRIPT) - The editedcomapnyname Company - C:\WINDOWS\System32\gpscript.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\Mobile Office 6\6.2.3.7\Bin\iPassPeriodicUpdateApp.exe

O23 - Service: LAR Win32xev (LarWin32xev) - Unknown owner - C:\WINDOWS\system32\win32xev.exe

O23 - Service: IBM Rational Lock Manager (LockMgr) - IBM Corporation - C:\appl\Rational\ClearCase\bin\lockmgr.exe

O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\appl\Rational\ClearQuest\mailservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Print Utility (PrintUtility) - The editedcomapnyname Company - C:\PROGRA~1\PJS\pjssrvc.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe

O23 - Service: SafeGuard® Removable Media Manager (rmsrvn) - Unknown owner - C:\WINDOWS\system32\sgrmsrvn.exe

O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe

O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe

O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe

O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINDOWS\system32\vnxserv.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

O23 - Service: xElevate Service (xElevateService) - The editedcomapnyname Company - C:\WINDOWS\system32\xElevate_dbd8.exe

--

End of file - 12623 bytes

Everything is looking good to me. Look good to you too?

Thanks again.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please upload this file for review sense there is very little information available for it. upload here

C:\WINDOWS\SYSTEM32\sgrmnotn.dll

Also upload it here and see what they say about it please.

Jotti's malware scan

I think it's okay and part of your SafeGuard but want to check.

Link to post
Share on other sites
wolraht

wolraht

Posted
  • Author
Posted
Please upload this file for review sense there is very little information available for it. upload here

C:\WINDOWS\SYSTEM32\sgrmnotn.dll

Also upload it here and see what they say about it please.

Jotti's malware scan

I think it's okay and part of your SafeGuard but want to check.

I uploaded it to you guys and I uploaded and scanned it on jotti. jotti didnt find anything wrong with it.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Yes, looks good to me. I would highly recommend updating to Service Pack 3 and installing IE7 which is much more secure than IE6

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.