Post by: ErikOzz on February 28, 2005, 02:35:29 PM
Here's his Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:20:24 PM, on 2/28/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\ePOAgent\naPrdMgr.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html (http://\"http://69.42.87.219/sidesearch.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html (http://\"http://69.42.87.219/sidesearch.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.na.nykline.com/ (http://\"http://www1.na.nykline.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-boi:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nykline.com;10.*;*.yti.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\System32\rsyncmon.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {6048EF3A-79A9-4685-952A-14F64999D3A2} - C:\WINNT\System32\smsnv.dll
O2 - BHO: SDWin32 Class - {754B68EE-1FF6-42FE-869F-50988B810AA7} - C:\WINNT\System32\fmujr.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [smsnvc] C:\WINNT\System32\smsnvc.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Cgpqyq.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Oqohun.exe
O4 - HKLM\..\Run: [zrwxfa4g] C:\Program Files\zrwxfa4g\zrwxfa4g.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [fmujrc] C:\WINNT\System32\fmujrc.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\System32\netsync.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [prutqct] C:\WINNT\System32\prutqct.exe
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} -
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab (http://\"http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab\")
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
Will someone pls help us indentify the culprits?
Thank you VERY MUCH in advance.
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on February 28, 2005, 02:55:46 PM
First off
I see SpywareStormer in your log
I advise that if you didn't pay for it too remove it
It's on the bogus list, take a look
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")
Once it's uninstalled
Restart your computer
Let me know if you have removed it
Back in Windows
Go back to Add/Remove Programs
Remove if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer
Elitebar or similiar
180 Search Assistant or similiar(You must be connected to the internet. Just keep pressing the uninstall button when it prompts).
Don't reboot until all have been Removed if found, Not even if your prompted
Once the last is Removed
Restart your computer
Come back here and post a fresh hijackthis log
Are your versions of Spybot and Ad-Aware the latest?
Spybot 1.3>>with all updates
Ad-Aware SE 1.05>>all updates?
Could you also download and save to desktop
VX2 finder.exe (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Open it and
"Click to Find VX2.BetterInternet"
Wait for it to finish scanning and then Make a log and post it back too
Post by: ErikOzz on February 28, 2005, 03:32:22 PM
We've uninstalled SpywareStormer, along w/ all of the seachbars.
Here's a new Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:22:27 PM, on 2/28/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\RightFax\faxctrl.exe
C:\ePOAgent\UpdaterUI.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html (http://\"http://69.42.87.219/sidesearch.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.na.nykline.com/ (http://\"http://www1.na.nykline.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-boi:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nykline.com;10.*;*.yti.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\System32\rsyncmon.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {6048EF3A-79A9-4685-952A-14F64999D3A2} - C:\WINNT\System32\smsnv.dll
O2 - BHO: SDWin32 Class - {754B68EE-1FF6-42FE-869F-50988B810AA7} - C:\WINNT\System32\fmujr.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [smsnvc] C:\WINNT\System32\smsnvc.exe
O4 - HKLM\..\Run: [zrwxfa4g] C:\Program Files\zrwxfa4g\zrwxfa4g.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [fmujrc] C:\WINNT\System32\fmujrc.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\System32\netsync.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\System32\prutqct.exe
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} -
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab (http://\"http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
Also, we ran "VX2 Finder", and here's the log:
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn
Guardian Key--- is called:
User Agent String---
Q312461
What's next?
Post by: guestolo on February 28, 2005, 03:37:26 PM
Open Spybot and click on HELP>>ABOUT
let me know Spybot Version and Latest detection date
Open Ad-Aware and click on DETAILS>>in Initialization status
Let me know Reference Number and Internal build
Post by: ErikOzz on February 28, 2005, 03:53:33 PM
No detection updates installed.
AdAware
Reference number: SE1R28 16.02.2005
Internal build: 33
Post by: guestolo on February 28, 2005, 04:19:49 PM
Print this out or save to a Notepad file on the desktop
also know how to start into safe mode, as this will be needed shortly, I've supplied a link below if your unsure
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html (http://\"http://69.42.87.219/sidesearch.html\")
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\System32\rsyncmon.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {6048EF3A-79A9-4685-952A-14F64999D3A2} - C:\WINNT\System32\smsnv.dll
O2 - BHO: SDWin32 Class - {754B68EE-1FF6-42FE-869F-50988B810AA7} - C:\WINNT\System32\fmujr.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [smsnvc] C:\WINNT\System32\smsnvc.exe
O4 - HKLM\..\Run: [zrwxfa4g] C:\Program Files\zrwxfa4g\zrwxfa4g.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [fmujrc] C:\WINNT\System32\fmujrc.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\System32\netsync.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\System32\prutqct.exe
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab (http://\"http://download.spyspotter.com/spyspotter/...tterInstall.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\") by tapping the F8 key as the system is booting up or follow the link
Find and delete these files or folders if they exist
C:\WINNT\BTGrab.dll <--file
C:\WINNT\Helper101.dll
C:\WINNT\farmmext.exe
C:\WINNT\System32\rsyncmon.dll
C:\WINNT\System32\AUNBHO.dll
C:\WINNT\System32\smsnv.dll
C:\WINNT\System32\fmujr.dll
C:\WINNT\System32\fmujrc.exe
C:\WINNT\System32\smsnvc.exe
C:\WINNT\System32\netsync.exe
C:\WINNT\System32\prutqct.exe
C:\Program Files\zrwxfa4g <--this folder
C:\Program Files\VBOUNCER <--folder
C:\Documents and Settings\All Users\Application Data\msw <--folder
C:\Program Files\Spyware Stormer <--folder
Stay in Safe mode
Do a Disk Cleanup
START>>RUN>>type in
cleanmgr
Ensure Temp and Temp internet files are checked
Return to Normal mode
Spybot doesn't seem to be updating
Can you open Spybot and Search for updates and Download all updates
Check for Problems>>Fix everything in RED
Restart your computer to finish the cleaning process
If it still doesn't seem to be updating
I see your running through a Proxy server, check the settings in Spybot
you will have to know your proxy setting
Which can be found thru
Control Panel>>Internet options>>Connections tab>>Under your connection type
Click Settings
Those you will have to add into Spybot
Open Spybot>>Click on Mode>>Advanced>>Ok the prompt
Click Settings>>Settings again in the column
On the right hand side scroll down to WEB UPDATE and check Use Proxy to Connect to Update Server
Fill in the required fields
Let me know if it will now update
Post by: ErikOzz on February 28, 2005, 05:34:37 PM
Here's the latest Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:29:18 PM, on 2/28/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\RightFax\faxctrl.exe
C:\ePOAgent\UpdaterUI.exe
C:\Program Files\E!PC\EXTRA.EXE
C:\Program Files\E!PC\EXTRA.EXE
C:\Program Files\E!PC\EXTRA.EXE
C:\Program Files\E!PC\EXTRA.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.na.nykline.com/ (http://\"http://www1.na.nykline.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-boi:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nykline.com;10.*;*.yti.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINNT\system32\smlogsvc.exe (file missing)
How does it look?
Post by: guestolo on February 28, 2005, 05:57:14 PM
How's everything running?
Make sure you clean out those temp folders
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Your a bit behind on Windows Updates, this is important in keeping the system secure too
Service Pack 4 for Windows 2000 has been out for some time
You should visit Windows updates and get all latest Critical Updates and service packs
Restart when prompted and revisit Windows Updates until you get all latest Critical updates
Don't get the Recommended updates unless there something wanted....
NOTE: I've only seen this in one other log
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
and this in your running processes
C:\Program Files\E!PC\EXTRA.EXE
Combine that with the Proxy server, can I assume that this is something to do with work?
I just want to make sure it's all ok
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: ErikOzz on February 28, 2005, 06:17:01 PM
Downloading Service Pack 4 for Windows 2000 now....
We'll be sure to download SpywareBlaster to prevent future attacks.
You're right about "C:\Program Files\E!PC\EXTRA.EXE": it boots our internal systems upon startup, so it's legit.
That should do it.
My SINCEREST thanks for all of your help with this problem!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Take care!
Post by: guestolo on February 28, 2005, 06:31:58 PM
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread
Stay safe, oh, and don't forget to go back and rehide hidden files and folders
Don't want them wondering what all those transparent icons are about
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />