Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

HijackThis shows 01 entries - can't remove

Thread Solved
1 2

Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

HijackThis shows 01 entries - can't remove

 
0
  #1
Feb 3rd, 2005
Gents:
Every now and then I decide to run a HiJack this in order to seew hat's in there and make sure all is clean.

Ran this morning and got the following log. I went through and ran the following:
Adaware - CWShredder - TrojanHunter - Bazooka
Cleaned everything as necessary. Compared this log to one from a clean session and did not see anything unwarranted (though I will admit I am stioll learning about the 016 entries)

I try to clean the 01 entries but they return.
Any advice would be appreciated!
Thanks
agavzy
________________________________________________
Logfile of HijackThis v1.99.0
Scan saved at 10:16:22 AM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/v_r1...ex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GravitixService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe
Reply With Quote Quick reply to this message  
Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

Re: HijackThis shows 01 entries - can't remove

 
0
  #2
Feb 3rd, 2005
All:

Seems that my recycle bin, though it has entries, is also not showing those entries when opened and will not delete
Thanks
agavzy
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: HijackThis shows 01 entries - can't remove

 
0
  #3
Feb 3rd, 2005
Can you try the Symantec removal tool first. I need to see if it's any good . That's if you do not mind me experimenting with you?
http://securityresponse.symantec.com...e.look2me.html
Follow the instructions from Symantec.
Once done, please do the following;

Reboot.

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare by clicking the "Run Locate.com" then click Compare button... when done post that log here.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

Re: HijackThis shows 01 entries - can't remove

 
0
  #4
Feb 3rd, 2005
Crunchie:

Good to hear from you again - this one has been a real pain in the butt! And the pop-ups are becoming VERY annoying!

Downloaded the Symantic tool and tried to run - it kept getting hung on the mcshield.exe process. Would not let me kill the program and had to reboot so that I could run the others.

Also - I've been to c:\windows\system32\drivers\etc\hosts and have found the following entries:
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

Everytime I erase them and then close and open the file - they're baaaacck!

In any event, as promised, here are the VX2Finder and Dllcompare logs.
Also - I did run DllCompare earlier and tried to get rid of some of the files it listed, even tried it under safeboot, but the system would not allow it:
------------------------------------------------------------
Log for VX2.BetterInternet File Finder
Files Found---

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---
{1D835F6F-CC2F-4717-91B7-25039AF29AC1}
---------------------------------------------------------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\k4620e~1.dll Thu Feb 3 2005 5:16:20p ..S.R 231,189 225.77 K
C:\WINDOWS\SYSTEM32\o0lu0a~1.dll Thu Feb 3 2005 5:11:36p ..S.R 231,189 225.77 K
C:\WINDOWS\SYSTEM32\r46u0e~1.dll Thu Feb 3 2005 1:15:02p ..S.R 230,991 225.57 K
________________________________________________
1,272 items found: 1,272 files (3 H/S), 0 directories.
Total of file sizes: 237,433,624 bytes 226.43 M
Administrator Account = True
--------------------End log---------------------

THANKS CRUNCHIE!!!!
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: HijackThis shows 01 entries - can't remove

 
0
  #5
Feb 4th, 2005
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

Re: HijackThis shows 01 entries - can't remove

 
0
  #6
Feb 4th, 2005
Crunchie:

Did what you had asked (and also did some other things last night).
Last nite - enabled system restore boot. Went in this morning and erased EVERYTHING that had a creation date of 2/03/05 (date of infection). Erased hosts file as well. Did an extra search and finally found gurard.tmp - erased that one too!

Downloaded file as requested, attached are logs from L2Mfix and HJT. By the by - recycle bin now shows files.

Thanks
agavzy
__________________________________________________________
L2Mfix 1.02a

Running From:
C:\Documents and Settings\GavzyA\Desktop\l2mfix


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\GavzyA\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\GavzyA\Desktop\l2mfix

killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1476 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dykquoui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izetppui.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\dykquoui.dll
Successfully Deleted: C:\WINDOWS\system32\dykquoui.dll
deleting: C:\WINDOWS\system32\izetppui.dll
Successfully Deleted: C:\WINDOWS\system32\izetppui.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: dykquoui.dll (200 bytes security) (deflated 4%)
adding: izetppui.dll (200 bytes security) (deflated 5%)
adding: clear.reg (200 bytes security) (deflated 46%)
adding: echo.reg (200 bytes security) (deflated 8%)
adding: desktop.ini (200 bytes security) (deflated 13%)
adding: direct.txt (200 bytes security) (stored 0%)
adding: lo2.txt (200 bytes security) (deflated 74%)
adding: readme.txt (200 bytes security) (deflated 49%)
adding: test.txt (200 bytes security) (deflated 36%)
adding: test2.txt (200 bytes security) (deflated 27%)
adding: test3.txt (200 bytes security) (deflated 27%)
adding: test5.txt (200 bytes security) (deflated 27%)
adding: xfind.txt (200 bytes security) (deflated 31%)
adding: backregs/1E35D77C-450F-45DC-AAC8-6812C14F93EA.reg (200 bytes security) (deflated 70%)
adding: backregs/68BC2DCF-74EF-497A-A903-FF508BB7EBDD.reg (200 bytes security) (deflated 70%)
adding: backregs/6981F636-98BA-496D-8259-AD0B8651D71B.reg (200 bytes security) (deflated 70%)
adding: backregs/shell.reg (200 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dykquoui.dll
deleting local copy: izetppui.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SecuRemote_UnInstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k6jslg1716.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dykquoui.dll
C:\WINDOWS\system32\izetppui.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{1E35D77C-450F-45DC-AAC8-6812C14F93EA}"=-
"{68BC2DCF-74EF-497A-A903-FF508BB7EBDD}"=-
"{6981F636-98BA-496D-8259-AD0B8651D71B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{1E35D77C-450F-45DC-AAC8-6812C14F93EA}]
[-HKEY_CLASSES_ROOT\CLSID\{68BC2DCF-74EF-497A-A903-FF508BB7EBDD}]
[-HKEY_CLASSES_ROOT\CLSID\{6981F636-98BA-496D-8259-AD0B8651D71B}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1D835F6F-CC2F-4717-91B7-25039AF29AC1}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{1D835F6F-CC2F-4717-91B7-25039AF29AC1}</IDone>
<IDtwo>DS4</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

____________________________________________________________
Logfile of HijackThis v1.99.0
Scan saved at 9:04:44 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wiwqww.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://carlson2.centra.com/SiteRoots...Downloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/v_r1...ex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GravitixService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: HijackThis shows 01 entries - can't remove

 
0
  #7
Feb 4th, 2005
Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
wiwqww.exe

Go to C:\WINDOWS\System32 and delete that file manually.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

Re: HijackThis shows 01 entries - can't remove

 
0
  #8
Feb 5th, 2005
Process killed and deleted. File downloaded and run - here's the log:

By the way - why is it that when you have 'spyware' on your pc, the pop-ups you get are for spyware cleaners? Makes you wonder who put them there in the first place.

Really, though, do you know of a dowload manager that does not come with spy-adware? Curious to see if one exists.

Anyway - here's the log:
=======================================================
"Silent Runners.vbs", revision 30
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sametime Connect" = ""C:\Program Files\Lotus\Sametime Client\Connect.exe"" ["Lotus Development Corporation"]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"BMMGAG" = "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor" [MS]
"BMMLREF" = "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [null data]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."]
"TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data]
"TPKMAPHELPER" = "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper" ["IBM Corp."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.0\THGuard.exe"" ["Mischel Internet Security"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Narrator" = "C:\WINDOWS\System32\wiwqww.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"1a5fd708-03a9-4db5-a1ad-a7054fd32123\(Default)" = (no title provided)
\StubPath = "C:\WINDOWS\System32\hzhxhh.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.0\contmenu.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "SecuRemote_UnInstall\DLLName" = "C:\WINDOWS\system32\k6jslg1716.dll" [file not found]
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0
DisplayName = "Workstation Policy"
\0 -> launches: "\\ent.ad.cognos.com\sysvol\ent.ad.cognos.com\Policies\{0AB3DEBB-53D0-495F-B9A1-E8F73DA8E3AA}\Machine\Scripts\Startup\Wrksta_Start.cmd" [file not found]

Startup items in "GavzyA" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\GavzyA\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"huhfhh.exe" [null data]
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe" ["The Linksys Group, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\WINDOWS\Temp\WZQKPICK.EXE" ["WinZip Computing, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"" ["Network Associates, Inc."]
Check Point SecuRemote Service, SR_Service, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"" ["Check Point Software Technologies"]
Check Point SecuRemote WatchDog, SR_WatchDog, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"" ["Check Point Software Technologies"]
IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]
IBM PM Service, IBMPMSVC, "C:\WINDOWS\System32\ibmpmsvc.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe"" ["Network Associates, Inc."]
PatchLink Update, PatchLink Update, "C:\Program Files\Patchlink\Update Agent\GravitixService.exe" ["Patchlink Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Reply With Quote Quick reply to this message  
Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

Re: HijackThis shows 01 entries - can't remove

 
0
  #9
Feb 5th, 2005
I'm looking at the file and it seems to indicate that wiwqww is still there, I've checked, its not.


Also, should I be questioning the existance of hzhxhh.exe as well?
As always - thanks Crunchie

agavzy
Reply With Quote Quick reply to this message  
Join Date: Apr 2004
Posts: 55
Reputation: agavzy is an unknown quantity at this point 
Solved Threads: 0
agavzy agavzy is offline Offline
Junior Poster in Training

Re: HijackThis shows 01 entries - can't remove

 
0
  #10
Feb 5th, 2005
Also - found this file when I did a search for wiwqww:

WIWQWW.EXE-0CBA861F.pf under the c:\windows\prefetch subdirectory - what the blue blazes is a prefetch?
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm yahoo
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC