Show Posts
1
Tech Clinic / Spyware
« on: April 21, 2005, 08:45:29 AM »
I cannot remove CallingHome.biz from my system. It is impervious to Spybot, AdAware, Spyware Doctor, SpySweeper, Microsoft Anti-Spy and BHO Demon. (As well as a couple others) All updates have been downloaded and failed. I am not qualified to attempt to edit the registry. Our resident IT expert has asked me to load the HiJackThis logfile and asks for direction before proceeding.
Thanks for any assistance you can provide. CallingHome.biz appears to be almost indestructible. Please forgive any forum protocol I may have violated. I'm a first timer on this kind of message board. Thank you.
The HiJackThis results file is posted below
=================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
***Security Programs Detected***
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 11:23:52 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\LogWatNT.exe
d:\Oracle\Ora81\BIN\OWASTSVR.EXE
E:\qttask.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
E:\ADOBE_PROGRAMS\Acrobat\Distillr\AcroTray.exe
C:\WINNT\system32\STARTPG.EXE
C:\Program Files\HiJack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.5.10.52/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PANDORA:4913
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\ADOBE_PROGRAMS\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [zzzHPSETUP] G:\Setup.exe
O4 - Startup: Start PageTools.lnk = C:\WINNT\system32\STARTPG.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\ADOBE_PROGRAMS\Acrobat\Distillr\AcroTray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\mspclnt\ISATRAY.EXE
O8 - Extra context menu item: =>&EspaƱol - http:\\wordreference.com\es\j\iees69.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapweb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/English%20to%20Spanish.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = columbus.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{203AF222-4F88-4D35-9618-D53E43778FEE}: NameServer = 64.132.94.250,216.136.95.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = columbus.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{203AF222-4F88-4D35-9618-D53E43778FEE}: NameServer = 64.132.94.250,216.136.95.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = columbus.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{203AF222-4F88-4D35-9618-D53E43778FEE}: NameServer = 64.132.94.250,216.136.95.2
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - d:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - d:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
Thanks for any assistance you can provide. CallingHome.biz appears to be almost indestructible. Please forgive any forum protocol I may have violated. I'm a first timer on this kind of message board. Thank you.
The HiJackThis results file is posted below
=================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
***Security Programs Detected***
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 11:23:52 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\LogWatNT.exe
d:\Oracle\Ora81\BIN\OWASTSVR.EXE
E:\qttask.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
E:\ADOBE_PROGRAMS\Acrobat\Distillr\AcroTray.exe
C:\WINNT\system32\STARTPG.EXE
C:\Program Files\HiJack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.5.10.52/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PANDORA:4913
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\ADOBE_PROGRAMS\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [zzzHPSETUP] G:\Setup.exe
O4 - Startup: Start PageTools.lnk = C:\WINNT\system32\STARTPG.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\ADOBE_PROGRAMS\Acrobat\Distillr\AcroTray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\mspclnt\ISATRAY.EXE
O8 - Extra context menu item: =>&EspaƱol - http:\\wordreference.com\es\j\iees69.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapweb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/English%20to%20Spanish.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = columbus.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{203AF222-4F88-4D35-9618-D53E43778FEE}: NameServer = 64.132.94.250,216.136.95.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = columbus.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{203AF222-4F88-4D35-9618-D53E43778FEE}: NameServer = 64.132.94.250,216.136.95.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = columbus.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{203AF222-4F88-4D35-9618-D53E43778FEE}: NameServer = 64.132.94.250,216.136.95.2
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - d:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - d:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe