« previous next »
Pages: [1]

Author Topic: installer2.exe  (Read 6435 times)

Offline pierretopping

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
installer2.exe
« on: February 01, 2005, 06:36:15 AM »
Hi,

I'm having pop's up all the time, and I scared as hell to use my PC. I have read some of the threads, and have tried to delete what does not look right. My log file my hijackthis is as follows :-

Logfile of HijackThis v1.99.0
Scan saved at 11:34:08, on 01/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NCH Swift Sound\IVM\ivm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sstray.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\GV600\GV600.exe
C:\Program Files\RBS Server\rbsmgr.exe
C:\Program Files\RBS Server\RBS.exe
C:\GV600\BcastTcp.exe
C:\GV600\DmHealthSvr.exe
C:\GV600\DMMailServer.exe
c:\winnt\system32\lrhcyhm.exe
c:\winnt\system32\packager.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\tmp\hijackthis.exe

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\system32\bridge.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [IVMRun] C:\Program Files\NCH Swift Sound\IVM\ivm.exe /logon
O4 - HKLM\..\Run: [lrhcyhm] c:\winnt\system32\lrhcyhm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINNT\system32\csxvfv.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Shortcut to GV600.lnk = C:\GV600\GV600.exe
O4 - Startup: Start RBS Server.lnk = C:\Program Files\RBS Server\rbsmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV600\DM500Startup.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31ef3b6fc0b376...ip/RdxIE601.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.nimsys.com/tsweb/msrdp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IVM Answering Attendant Service - Unknown - C:\Program Files\NCH Swift Sound\IVM\ivm.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

Norton AntiVirus also keeps poping up saying it stoped a file called installer2.exe from running.

Sorry to be a pain, but could somebody please tell me what they think I need to do  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Thanks,

Pierre
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
installer2.exe
« Reply #1 on: February 01, 2005, 02:21:11 PM »
HI Pierre, I see that you have Spybot installed
Can you do me a favor and open Spybot
Click on HELP at the top
Then click on ABOUT
Let me know Spybot version and latest Detection date, thanks

I see a couple bad processes running on your computer

If you haven't done so already, could you also
Download and Install the free version of Ad-Aware SE Personal 1.05
It's a great spyware removal tool that compliments Spybot very well
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

I'm not sure what you've tried to remove already with Hijackthis
But from this point could you not try and fix anything else until I see the log, thanks
Just for a double check
Could you also
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane---  Use "CTRL  C" on your Keyboard to copy all found in the lower pane  and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product  to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log and the eScan results and then we'll get rid of the leftover bad guys  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
« Last Edit: February 01, 2005, 06:28:16 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #2 on: February 02, 2005, 03:02:55 AM »
Hi,

Thank you for coming back so quick  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

The Ad-Aware SE Personal 1.05 found 13 things wrong...I'm amazed ..

The version of Spybot is 1.2 with "no detection updates installed", strange as I do click on the update icon ?

e-scan picked up the following:-

File C:\WINNT\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINNT\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINNT\farmmext.exe infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DrTemp\mm_reco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DrTemp\thnall1b.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr7702 infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI14A0.tmp\farmmext.cab infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI14A0.tmp\farmmext.exe infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI32FE.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI32FE.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI3BF8.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI3BF8.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI4B39.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI6C65.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI6C65.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI6E23.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI6E23.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THI79BF.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THICA6.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\THICA6.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\DrTemp\mm_reco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\DrTemp\thnall1b.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr7702 infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI14A0.tmp\farmmext.cab infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI14A0.tmp\farmmext.exe infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI32FE.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI32FE.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI3BF8.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI3BF8.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI4B39.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI6C65.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI6C65.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI6E23.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI6E23.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THI79BF.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THICA6.tmp\zserv.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\THICA6.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\048C0000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04900000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04940000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\049C0000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04DC0000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04E80000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04FC0000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05040000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05400000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480000.VBN infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06C40000.VBN infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06C40002.VBN infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\My Documents\misc\bbctick1.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Documents\USB drive backup\CUTEftp\CUTE3032.EXE infected by "not-a-virus:AdWare.Aureate" Virus. Action Taken: No Action Taken.
File C:\My Documents\WAV'S\cds113.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.


The status in hijack is now :-

Logfile of HijackThis v1.99.0
Scan saved at 08:02:27, on 02/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NCH Swift Sound\IVM\ivm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sstray.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\GV600\GV600.exe
C:\Program Files\RBS Server\rbsmgr.exe
C:\Program Files\RBS Server\RBS.exe
C:\GV600\BcastTcp.exe
C:\GV600\DmHealthSvr.exe
C:\GV600\DMMailServer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\tmp\hijackthis.exe

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IVMRun] C:\Program Files\NCH Swift Sound\IVM\ivm.exe /logon
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Shortcut to GV600.lnk = C:\GV600\GV600.exe
O4 - Startup: Start RBS Server.lnk = C:\Program Files\RBS Server\rbsmgr.exe
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV600\DM500Startup.exe
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31ef3b6fc0b376...ip/RdxIE601.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.nimsys.com/tsweb/msrdp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IVM Answering Attendant Service - Unknown - C:\Program Files\NCH Swift Sound\IVM\ivm.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Thanks for your help  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Rgds,

Pierre
Logged

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #3 on: February 02, 2005, 09:54:38 AM »
Hi,

Also just to let you know that I have a process called "lrhcyhm.exe" that is taking all my CPU :-(

Rgds,

Pierre
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
installer2.exe
« Reply #4 on: February 02, 2005, 01:03:02 PM »
Hi again Pierre
Can you please redownload Hijackthis
Don't let it save to your Temp folder
We are going to clean that folder and all your backups will be lost

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

After you have done that
Download and Install this small program
to help clean your temp folders,cookies,prefetch,etc...
Windows Cleanup
Install it for now but don't run a scan yet
Hold onto this

Quote
The version of Spybot is 1.2 with "no detection updates installed", strange as I do click on the update icon ?

Spybot 1.2 is no longer updating or supported, actually, it's been outdated for quite some time
Can you Access your Add/Remove programs and uninstall Spybot 1.2
After you have done that

Download and Install Spybot S&D 1.3
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the  SEARCH FOR UPDATES button, Check and download all updates
Don't run a scan yet, but ensure it is right up to date

Print this out or save to a Notepad file on your Desktop
I'll also need you to Restart in safe mode soon, I supplied a link below if your unsure
how to

Open Hijackthis from that new folder

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll

O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31ef3b6fc0b376...ip/RdxIE601.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Restart your computer into SAFE MODE

Find and delete these files if they exist

C:\WINNT\farmmext.exe <--this file
C:\WINNT\ZServ.dll <--file
look for this one too, I don't see it running anymore, but delete it if found
c:\winnt\system32\lrhcyhm.exe <--file

Stay in Safe mode

You can choose to clean your Quarantine list in Norton's
Mwav identified them, but they should be safe in the folder
I would clean it out however

NEXT
Open up Windows CleanUp! that you installed earlier
START>>All programs>>Cleanup
Click on the CleanUp button
Let it finish scanning for files, when it's done it will prompt you to Log off
Don't at this time

Instead
Open Spybot 1.3
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer back to Normal mode to finish the Cleaning process

When your back in Windows

Can you download and save to desktop
VX2.Finder.exe
Run the program
Click the "Click to Find VX2.BetterInternet"
Let it finish scanning>>this won't take long
When it's done
"Make a log" and post it back here

Also post a Fresh hijackthis log

A couple files marked as not a virus by mwav I want a closer look at
One looks legit
Can you go to this link
http://virusscan.jotti.org/
Give it time to load if it's busy

Use the BROWSE button at the top and Navigate to this file
C:\My Documents\WAV'S\cds113.zip <--this file

Right click on the file and choose Select
Back at the site choose SUBMIT
Wait for the Scan Results and copy and paste them back here, thanks

Could you do the same for this file too
C:\My Documents\USB drive backup\CUTEftp\CUTE3032.EXE
This one looks legit, just checking
« Last Edit: February 02, 2005, 01:10:18 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #5 on: February 02, 2005, 03:34:50 PM »
Hi,

All done...

The output fromVX2.Finder.exe was :-

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
NavLogon
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

User Agent String---



That latest Hijackthis log is :-

Logfile of HijackThis v1.99.0
Scan saved at 20:28:05, on 02/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sstray.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\GV600\GV600.exe
C:\Program Files\RBS Server\rbsmgr.exe
C:\Program Files\RBS Server\RBS.exe
C:\WINNT\system32\taskmgr.exe
C:\GV600\BcastTcp.exe
C:\GV600\DmHealthSvr.exe
C:\GV600\DMMailServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\programs\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lrhcyhm] c:\winnt\system32\lrhcyhm.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Shortcut to GV600.lnk = C:\GV600\GV600.exe
O4 - Startup: Start RBS Server.lnk = C:\Program Files\RBS Server\rbsmgr.exe
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV600\DM500Startup.exe
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.nimsys.com/tsweb/msrdp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

going to the http:virusscan.jotti.org site and scanning cds113.zip, it come back with the following:-
   
Service load:  0%        100%  
 
File:  cds113.zip  
Status:  INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
Packers detected:  None
   
AntiVir  No viruses found (0.46 seconds taken)
Avast  No viruses found (3.04 seconds taken)
BitDefender  No viruses found (9.49 seconds taken)
ClamAV  No viruses found (5.20 seconds taken)
Dr.Web  No viruses found (2.83 seconds taken)
F-Prot Antivirus  No viruses found (0.64 seconds taken)
Fortinet  No viruses found (1.53 seconds taken)
Kaspersky Anti-Virus  not-a-virus:Tool.Win32.Reboot (4.89 seconds taken)
mks_vir  No viruses found (0.51 seconds taken)
NOD32  No viruses found (1.31 seconds taken)
Norman Virus Control  No viruses found (0.57 seconds taken)
   
The system is running 100% better now  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Would you say that its now OK ?

Rgds,

Pierre
Logged

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #6 on: February 02, 2005, 03:38:10 PM »
Hi,

Sorry, the output from the scan on CUTE3032.exe was :-

   
Service load:  0%        100%  
 
File:  CUTE3032.EXE  
Status:  INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
Packers detected:  None
   
AntiVir  No viruses found (0.32 seconds taken)
Avast  No viruses found (3.02 seconds taken)
BitDefender  No viruses found (3.21 seconds taken)
ClamAV  No viruses found (1.63 seconds taken)
Dr.Web  No viruses found (1.00 seconds taken)
F-Prot Antivirus  No viruses found (0.14 seconds taken)
Fortinet  No viruses found (0.71 seconds taken)
Kaspersky Anti-Virus  not-a-virus:AdWare.Aureate (2.92 seconds taken)
mks_vir  No viruses found (0.42 seconds taken)
NOD32  No viruses found (0.69 seconds taken)
Norman Virus Control  No viruses found (0.26 seconds taken)
   

Thanks again,

Rgds,

Pierre
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
installer2.exe
« Reply #7 on: February 02, 2005, 04:19:50 PM »
Looks good


Careful with those 2 files
One is a zipped archive, not sure what you have in there but something is coming up Infected
cds113.zip

The other is also coming up nondestructive
CUTE3032.EXE
Seems related to an ftp server product
you could navigate to that file and rename CUTE3032.EXE >>>CUTE3032.old

If you find no ill effects with it than delete the file in time

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [lrhcyhm] c:\winnt\system32\lrhcyhm.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer
Optionally you can fix these ones too,
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

If you choose to fix the 2 above, enter quicktimes preferences and disable on startup
than have hijackthis fix that entry
Realsched.exe>>RealPlayer's updater, not needed on startup, somewhat of a resource hog
If you choose to fix it with Hijackthis
Enter your task manager ahead of time and end process on it and then navigate to
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Rename realsched.exe>>>realsched.old
This should ensure it won't startup


You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Post back one last hijackthis log, I want to ensure that one entry is gone
P.S. Make sure you don't enter the Task Manager and end process on anything until I see the scanned log
« Last Edit: February 02, 2005, 04:30:23 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #8 on: February 02, 2005, 06:00:14 PM »
Hi,

Thanks for your help on this, your one in a million....

The log is now :-

Logfile of HijackThis v1.99.0
Scan saved at 22:56:40, on 02/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sstray.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\GV600\GV600.exe
C:\Program Files\RBS Server\rbsmgr.exe
C:\Program Files\RBS Server\RBS.exe
C:\GV600\BcastTcp.exe
C:\GV600\DmHealthSvr.exe
C:\GV600\DMMailServer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\programs\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Shortcut to GV600.lnk = C:\GV600\GV600.exe
O4 - Startup: Start RBS Server.lnk = C:\Program Files\RBS Server\rbsmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV600\DM500Startup.exe
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.nimsys.com/tsweb/msrdp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Would it be possible to get the stuff I had on my PC from running shareware ? I loaded a shareware program called "ivmIVM Phone Answering Attendant Software" from http://www.nch.com.au/ivm/ and then all my problems started ? Would I be able to find out, or is it best not to touch (better safe then sorry) ?

Rgds,

Pierre
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
installer2.exe
« Reply #9 on: February 02, 2005, 06:18:01 PM »
The software looks legit, I've never used it and am not too familiar with it
You can check their site for any Privacy policy, read between the lines
I may check it out too......

As a shareware program you would think it would be ok....
I would browse around for a couple of days and if you have no problems
Leave well enough alone

Install SpywareBlaster and IE-Spyad--check for updates every couple of weeks

Hold onto Spybot and Ad-Aware and check for updates every couple of weeks and run scans
A little added protection
Open Spybot>>Click on Immunize>>OK>>Immunize at the top
Do this after every update

Hold onto Windows CleanUp! and clean those temp folders at least every couple of weeks

If you have any questions concerning "ivmIVM Phone Answering Attendant Software"

Check on their  forum
Not Spyware related, but technical issues  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Here's a link
http://nch.invisionzone.com/index.php?showforum=13
« Last Edit: February 02, 2005, 06:20:59 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #10 on: February 02, 2005, 06:39:07 PM »
Hi,

Thanks for all your help on this :-)

I've posted a "question" on the forum of that shareware program to see what comes back.

I'll do as you said about installing and updating the programs like Spybot. Good advice.....Thanks

Are you the person that wrote the hijackthis software ?

Rgds,

Pierre
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
installer2.exe
« Reply #11 on: February 03, 2005, 01:56:50 AM »
Quote
Are you the person that wrote the hijackthis software ?
Nope

That great pc of software was written by Merijn bellekom
Here's a quote from his site

Quote
I am a student from the Netherlands that codes in his free time, and especially CWShredder and HijackThis
« Last Edit: February 03, 2005, 01:57:16 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_pierretopping_*

  • Guest
installer2.exe
« Reply #12 on: February 03, 2005, 04:34:45 AM »
Thanks for all your help with this....

I'll send something via Paypal to keep the great program working for others.

Rgds and thanks again..

Pierre
Logged
Pages: [1]
« previous next »