0

Hi, having various infection problems - can someone help please?

Problem 1
A message in a window appears every few minutes saying "This system is shutting down....this shutdown was initiated by NT/ AUTHORITY SYSTEM. C:\Windows\system32\lsass.exe terminated unexpectedly with status code 1073741819. The system will now shut down and restart"

The system doesn't shut down but then another message appears saying "Warning - Local Security Authority Service (lsass.exe) has encountered a serious problem (possible spyware infection). Click OK to visit Windows Security Center website and download spyware remover etc etc".

When click OK or cancel a browser window appears showing AntiSpyLab.com software to download.

Problem2
When downloading a .exe file recently an error message appears when trying to run it "filepath/program.exe is not a valid Win32 application. Not sure if this has anything to do with the spyware problems.

Here is a HJT log file. Appreciate your help.

yaduks.

Logfile of HijackThis v1.99.1
Scan saved at 20:52:03, on 30/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Oracle\Ora817\BIN\TNSLSNR.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Connected\CBSysTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\BT Broadband 2091\Help\bin\mpbtn.exe
C:\WINDOWS\system32\etlitr50.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\winsrv32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: winapi32.MyBHO - {AF79D4A2-725D-4627-9E34-08C04833D798} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [Password Reminder] remind.vbs
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [GetInfo] C:\Program Files\Network Associates\Common Framework\GetInfo.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 2091\Help\bin\matcli.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: cp_lawsonprod.bat
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_02\bin\npjpi140_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_02\bin\npjpi140_02.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hub.slb.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sisevents.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eur.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = eur.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eur.slb.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe
O23 - Service: Entrust/TrueDelete(TM) (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleOraHome817Agent - Oracle Corporation - C:\Oracle\Ora817\bin\dbsnmp.exe
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\Oracle\Ora817\BIN\ONRSD.EXE
O23 - Service: OracleOraHome817DataGatherer - Oracle Corporation - C:\Oracle\Ora817\bin\vppdc.exe
O23 - Service: OracleOraHome817HTTPServer - Unknown owner - C:\Oracle\Ora817\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome817PagingServer - Unknown owner - C:\Oracle\Ora817/bin/pagntsrv.exe
O23 - Service: OracleOraHome817TNSListener - Unknown owner - C:\Oracle\Ora817\BIN\TNSLSNR.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard Company - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

3
Contributors
3
Replies
4
Views
11 Years
Discussion Span
Last Post by 'Stein
0

Hi, Please run HJT again, and select Do system scan only. THen check these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)


O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)


O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

O2 - BHO: winapi32.MyBHO - {AF79D4A2-725D-4627-9E34-08C04833D798} - C:\WINDOWS\system32\winapi32.dll

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)

O4 - HKLM\..\Run: [Password Reminder] remind.vbs

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

O4 - Global Startup: cp_lawsonprod.bat

O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe

O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe

O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)

Click Fix Checked

-------------------------------------------------------------------

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

If they say it can't be deleted, check Delete on reboot, then reboot[/b]

File List:

C:\WINDOWS\system32\winapi32.dll

C:\WINDOWS\system32\runsrv32.exe

C:\WINDOWS\system32\susp.exe

C:\WINDOWS\system32\taskdir.exe


------------------------------------------------------------------

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds (Save log)

Post ewido log, along iwth a new HJT log.

0

tayspen,

i didn't delete these in HJT as they are work related and i assume they are ok -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com


O4 - Global Startup: cp_lawsonprod.bat

In killbox, the first two files i was able to delete but the last two didn't show up. I tried copying in individually but message was "file doesn't exist" (??)

Killbox Log:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           22:28:49, 30/04/2006
+ Report-Checksum:      CEF6BB0


+ Scan result:


HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\DailyToolbar.DLL -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\Bridge.brdg -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\DailyToolbar.IEBand -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\DailyToolbar.SysMgr -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\IEToolbar.AffiliateCtl -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\jao.jao -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\RespondMiter -> Adware.VX2 : Cleaned with backup
[1592] C:\WINDOWS\system32\winsrv32.exe -> Downloader.Adload.aq : Cleaned with backup
C:\quarantine\taskdir.exe.Vir -> Trojan.Small : Error during cleaning
C:\WINDOWS\system32\phqghume.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\qaadwegl.exe -> Downloader.VB.aan : Cleaned with backup
C:\WINDOWS\system32\winsrv32.exe -> Downloader.Adload.aq : Cleaned with backup
C:\WINDOWS\system32\xyccstit.aid -> Trojan.Agent.qe : Cleaned with backup



::Report End



HJT Log


Logfile of HijackThis v1.99.1
Scan saved at 22:37:57, on 30/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Oracle\Ora817\BIN\TNSLSNR.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Connected\CBSysTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\BT Broadband 2091\Help\bin\mpbtn.exe
C:\WINDOWS\system32\etlitr50.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Novadigm\RADREXXW.exe
C:\WINDOWS\system32\CMD.exe
C:\WINDOWS\mbsacli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: winapi32.MyBHO - {AF79D4A2-725D-4627-9E34-08C04833D798} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [GetInfo] C:\Program Files\Network Associates\Common Framework\GetInfo.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 2091\Help\bin\matcli.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: cp_lawsonprod.bat
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_02\bin\npjpi140_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_02\bin\npjpi140_02.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hub.slb.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sisevents.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eur.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = eur.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eur.slb.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe
O23 - Service: Entrust/TrueDelete(TM) (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleOraHome817Agent - Oracle Corporation - C:\Oracle\Ora817\bin\dbsnmp.exe
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\Oracle\Ora817\BIN\ONRSD.EXE
O23 - Service: OracleOraHome817DataGatherer - Oracle Corporation - C:\Oracle\Ora817\bin\vppdc.exe
O23 - Service: OracleOraHome817HTTPServer - Unknown owner - C:\Oracle\Ora817\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome817PagingServer - Unknown owner - C:\Oracle\Ora817/bin/pagntsrv.exe
O23 - Service: OracleOraHome817TNSListener - Unknown owner - C:\Oracle\Ora817\BIN\TNSLSNR.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard Company - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Edited by happygeek: fixed formatting

0

Heh ya, it's alrite to keep those sites on there.

First, let's try to uninstsall Alexa using these directions.

After this, we're gonna try to get rid of BetterInternet using the Nail fix, simply because they are similarly related.

Step 1.
==========

- Please download DSRFix from here
- Extract\unzip the files to your Desktop
(Note: Do NOT run this yet)

Step 2.
==========

- Please download Ad-Aware SE Personal from here
- Install it and check for updates
- Close Ad-Aware

Step 3.
==========

- Download Ad-Aware's VX2 Cleaner plugin from here
- Make sure Ad-Aware SE Personal is closed then install the VX2 Cleaner
- Start Ad-Aware SE Personal
- Click Add-Ons
- Double-click VX2 Cleaner
- Click OK to start the cleaner tool
- If nothing is found click OK and exit the program.

or

- If malware is found click Clean System
- When it's done click Start in Ad-Aware SE Personal
- Make sure Perform smart system scan is checked\selected
- Click Next
- Let it clean anything it finds

- Close program

Step 4.
==========

- Open the DSRFix folder on your Desktop
- Double click dsrfix.bat to run the program (Note: A DOS window should open and close quickly, this is normal)
- Once the fix has completed the tool will close on its own.

Step 5.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked.

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: winapi32.MyBHO - {AF79D4A2-725D-4627-9E34-08C04833D798} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe

- Click the "Fix checked" button.

Step 6.
==========

Copy this advise to a Notepad file. Save it to your desktop. We will use it later

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe
C:\Program Files\Connected\CBSysTray.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Step 7.
==========

Let the system reboot. If it doesnt automatically, reboot your computer.

Step 8.
==========

- If you have a screen saver please turn it off for this scan
- Close all open Windows and Programs (Note: VERY IMPORTANT - Do NOT use your computer while Ewido is scanning)
- Start Ewido Security Suite, and run a full scan

  1. Click on Scanner.
  2. Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on OK
  3. Click on Complete System Scan, the scan will now begin.
  4. While the scan is in progress you will be promted to clean files, click OK.
  5. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose Clean and click OK.
  6. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  7. Click Save Report.
  8. Now save the report .txt file to your desktop.
  9. Close Ewido Security Suite

Step 9.
==========

- Run Ad-Aware SE Personal.
- Click Start in Ad-Aware SE Personal
- Make sure Perform smart system scan is checked\selected
- Click Next
- Let it clean anything it finds
- Close program

Step 10.
==========

- Reboot your computer
- Post a new HijackThis log
- Post the Ewido log

Thanks.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.