Author Topic: another computer another popup problem (Read 1733 times)

asquare · « **on:** February 12, 2005, 11:48:30 AM »

Hi Again,
Here is another computer again with the popup problem . I have already downloaded adaware, spybot S&D, cwshredder, spywareblaster, windowscleanup, asquared scanner and iespyware-2. With all these I have updated and scanned my computer.

Howver I still am being informed by the sys admin that my computer is blocking up the network by pinging excessively. This might be a possible hacker. Kindly help me out with this . here is the log file generated by Hijack this:

Logfile of HijackThis v1.99.0
Scan saved at 11:51:37 AM, on 2/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Media\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\msnmgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\icm\Application Data\rprn.exe
C:\WINNT\system32\r?ndll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\a2 free\a2start.exe
C:\Program Files\a2 free\a2scan.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\icm\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ddhqvkommmmlvpukttjl.com/SNmLeL...ED_mh25BP8l.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINNT\_MWOLTB.DLL
O2 - BHO: (no name) - {FBD58107-69CA-161F-B7D9-16640CDD18C0} - C:\WINNT\system32\itqb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [qXeji.exe] C:\documents and settings\icm\local settings\temp\qXeji.exe
O4 - HKLM\..\Run: [oLzIX.exe] c:\documents and settings\icm\local settings\temp\oLzIX.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Windows NT Service Name] msnmgr.exe
O4 - HKLM\..\RunServices: [Windows NT Service Name] msnmgr.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aels] C:\Documents and Settings\icm\Application Data\rprn.exe
O4 - HKCU\..\Run: [Aiokuyk] C:\WINNT\system32\r?ndll32.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...com/USA/fly.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} (XView Class) - http://download.actify.com/SpinFire/SFViewerWeb.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/ve...n7/dlhelper.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\icm\Desktop\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: FLEXlm server for PTC - Unknown - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Hummingbird Inetd - Hummingbird Communications Ltd. - C:\WINNT\System32\Hummbird\inetd32.exe
O23 - Service: ICEM CFD FLEXlm Manager - Unknown - C:\icemcfd\4.2-win\lic\lmgrd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINNT\Media\svchost.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Task Manager - Unknown - C:\WINNT\system\svchost.exe

Looking forward to hearing form you soon,

Regards
Akshay

guestolo · « **Reply #1 on:** February 12, 2005, 03:12:41 PM »

Could you Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Also supply a fresh Hijackthis log, thanks

asquare · « **Reply #2 on:** February 12, 2005, 06:11:27 PM »

Hi again,
As said here is the listing of the servicefilter.vbs script.

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Feb 12, 2005 6:15:38 PM

===> Begin Service Listing <===

Unknown Service #1
Service Name: DefWatch
Display Name: Symantec AntiVirus Definition Watcher
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec AntiVirus Definition ...
Service Type: Own Process
Path: "c:\program files\symantec antivirus\defwatch.exe"
State: Running
Process ID: 648
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: DNTUS26
Display Name: DameWare NT Utilities 2.6
Start Mode: Auto
Start Name: LocalSystem
Description: DameWare NT Utilities ...
Service Type: Own Process
Path: c:\winnt\system32\dntus26.exe
State: Running
Process ID: 668
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: FLEXlm server for PTC
Display Name: FLEXlm server for PTC
Start Mode: Auto
Start Name: LocalSystem
Description: FLEXlm server for ...
Service Type: Own Process
Path: "c:\program files\flexlm\i486_nt\obj\lmgrd.exe"
State: Running
Process ID: 696
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service #4
Service Name: HCLInetd
Display Name: Hummingbird Inetd
Start Mode: Auto
Start Name: LocalSystem
Description: Hummingbird ...
Service Type: Own Process
Path: c:\winnt\system32\hummbird\inetd32.exe
State: Running
Process ID: 716
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 5
Service Name: ICEM CFD FLEXlm Manager
Display Name: ICEM CFD FLEXlm Manager
Start Mode: Auto
Start Name: LocalSystem
Description: ICEM CFD FLEXlm ...
Service Type: Own Process
Path: c:\icemcfd\4.2-win\lic\lmgrd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Machine Debug ...
Service Type: Own Process
Path: "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 7
Service Name: r_server
Display Name: Remote Administrator Service
Start Mode: Auto
Start Name: LocalSystem
Description: Remote Administrator ...
Service Type: Own Process
Path: "c:\winnt\media\svchost.exe" /service
State: Running
Process ID: 876
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 8
Service Name: SavRoam
Display Name: SAVRoam
Start Mode: Manual
Start Name: LocalSystem
Description: SAVRoam...
Service Type: Own Process
Path: "c:\program files\symantec antivirus\savroam.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 9
Service Name: SNDSrvc
Display Name: Symantec Network Drivers Service
Start Mode: Manual
Start Name: LocalSystem
Description: Symantec Network Drivers ...
Service Type: Own Process
Path: "c:\program files\common files\symantec shared\sndsrvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 10
Service Name: Symantec AntiVirus
Display Name: Symantec AntiVirus
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec ...
Service Type: Own Process
Path: "c:\program files\symantec antivirus\rtvscan.exe"
State: Running
Process ID: 532
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 11
Service Name: TskMan
Display Name: Task Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Task ...
Service Type: Own Process
Path: c:\winnt\system\svchost.exe
State: Running
Process ID: 1004
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 12
Service Name: CWShredder Service
Display Name: CWShredder Service
Start Mode: Auto
Start Name: LocalSystem
Description: CWShredder ...
Service Type: Own Process
Path: c:\documents and settings\icm\desktop\cwshredder.exe service
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 75 Win32 services on this machine.
12 were unrecognized.

Script Execution Time: 0.53125 seconds.

I am also attaching a fresh highjackthis log as under:

Logfile of HijackThis v1.99.0
Scan saved at 6:19:52 PM, on 2/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Media\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\msnmgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\icm\Application Data\rprn.exe
C:\WINNT\system32\r?ndll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\icm\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ddhqvkommmmlvpukttjl.com/SNmLeL...ED_mh25BP8l.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINNT\_MWOLTB.DLL
O2 - BHO: (no name) - {FBD58107-69CA-161F-B7D9-16640CDD18C0} - C:\WINNT\system32\itqb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [qXeji.exe] C:\documents and settings\icm\local settings\temp\qXeji.exe
O4 - HKLM\..\Run: [oLzIX.exe] c:\documents and settings\icm\local settings\temp\oLzIX.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Windows NT Service Name] msnmgr.exe
O4 - HKLM\..\RunServices: [Windows NT Service Name] msnmgr.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aels] C:\Documents and Settings\icm\Application Data\rprn.exe
O4 - HKCU\..\Run: [Aiokuyk] C:\WINNT\system32\r?ndll32.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...com/USA/fly.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} (XView Class) - http://download.actify.com/SpinFire/SFViewerWeb.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/ve...n7/dlhelper.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\icm\Desktop\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: FLEXlm server for PTC - Unknown - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Hummingbird Inetd - Hummingbird Communications Ltd. - C:\WINNT\System32\Hummbird\inetd32.exe
O23 - Service: ICEM CFD FLEXlm Manager - Unknown - C:\icemcfd\4.2-win\lic\lmgrd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINNT\Media\svchost.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Task Manager - Unknown - C:\WINNT\system\svchost.exe

Looking forward to hearing from you

Regards
Akshay

guestolo · « **Reply #3 on:** February 13, 2005, 01:02:50 AM »

Sorry for the delay asquare

This entry here in your log in the services may be an indication of a Keylogger
C:\WINNT\SYSTEM32\DNTUS26.EXE
Are you or the user aware of it's presence?
There is also a couple more nasty services running on the computer

I see you have Asquared installed
But could you also run the Trial version of TDS-3 through the computer
It's good for 30 days, at which time just simply uninstall it
It may be best to disable Asquared's Guard protection before running and leave it disabled until we get the log clean

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update
Follow the Manual update procedure
Again, don't run a scan yet

Print this out or save to a Notepad file for easy access

Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Restart back to Normal mode
Post a fresh Hijackthis log and the scandump.txt from TDS-3
Could you also post a fresh ServiceFilters Post_This.txt, thanks

Then we should be able to do some final cleanup

asquare · « **Reply #4 on:** February 13, 2005, 02:37:24 PM »

Hi,
based on instructions downloaded TDS-3 updated it and ran scan in safemode. Have also deleted positively identified files. here is the scandump.txt file generated:

Scan Control Dumped @ 14:27:19 13-02-05
RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Windows NT Service Name=msnmgr.exe]

RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows NT Service Name=msnmgr.exe]

Positive identification: RAT.ServU-Based.h
File: c:\winnt\system\svchost.exe

Positive identification: Adware.PurityScan.w10
File: c:\documents and settings\icm\application data\rprn.exe

Positive identification (DLL): TrojanDownloader.Win32.Braidupdate.d (dll)
File: c:\documents and settings\icm\local settings\temp\temp.fr3e07

Positive identification <Adv>: Possible WebDownloader
File: c:\program files\microsoft office\office10\msohtmed.exe

Positive identification: Riskware.PSWTool.PWDump2
File: c:\winnt\msapps\msinfo\pw\pwdump2.exe

Positive identification: RAT.ServU-Based.h
File: c:\winnt\system\svchost.exe

Positive identification (DLL): Adware.PurityScan.ak3 (dll)
File: c:\winnt\system32\itqb.dll

Also here is a fresh log of highjackthis:

Logfile of HijackThis v1.99.0
Scan saved at 2:38:22 PM, on 2/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\msnmgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\r?ndll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\icm\Desktop\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ddhqvkommmmlvpukttjl.com/SNmLeL...ED_mh25BP8l.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINNT\_MWOLTB.DLL
O2 - BHO: (no name) - {FBD58107-69CA-161F-B7D9-16640CDD18C0} - C:\WINNT\system32\itqb.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [qXeji.exe] C:\documents and settings\icm\local settings\temp\qXeji.exe
O4 - HKLM\..\Run: [oLzIX.exe] c:\documents and settings\icm\local settings\temp\oLzIX.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Windows NT Service Name] msnmgr.exe
O4 - HKLM\..\RunServices: [Windows NT Service Name] msnmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aels] C:\Documents and Settings\icm\Application Data\rprn.exe
O4 - HKCU\..\Run: [Aiokuyk] C:\WINNT\system32\r?ndll32.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...com/USA/fly.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} (XView Class) - http://download.actify.com/SpinFire/SFViewerWeb.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/ve...n7/dlhelper.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\icm\Desktop\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: FLEXlm server for PTC - Unknown - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Hummingbird Inetd - Hummingbird Communications Ltd. - C:\WINNT\System32\Hummbird\inetd32.exe
O23 - Service: ICEM CFD FLEXlm Manager - Unknown - C:\icemcfd\4.2-win\lic\lmgrd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINNT\Media\svchost.exe (file missing)
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Task Manager - Unknown - C:\WINNT\system\svchost.exe (file missing)

And as you had asked here is the scanlog of servicefilters_postthis:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Feb 13, 2005 2:39:00 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: CWShredder Service
Display Name: CWShredder Service
Start Mode: Auto
Start Name: LocalSystem
Description: CWShredder ...
Service Type: Own Process
Path: c:\documents and settings\icm\desktop\cwshredder.exe service
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: DefWatch
Display Name: Symantec AntiVirus Definition Watcher
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec AntiVirus Definition ...
Service Type: Own Process
Path: "c:\program files\symantec antivirus\defwatch.exe"
State: Running
Process ID: 672
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: DNTUS26
Display Name: DameWare NT Utilities 2.6
Start Mode: Auto
Start Name: LocalSystem
Description: DameWare NT Utilities ...
Service Type: Own Process
Path: c:\winnt\system32\dntus26.exe
State: Running
Process ID: 696
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: FLEXlm server for PTC
Display Name: FLEXlm server for PTC
Start Mode: Auto
Start Name: LocalSystem
Description: FLEXlm server for ...
Service Type: Own Process
Path: "c:\program files\flexlm\i486_nt\obj\lmgrd.exe"
State: Running
Process ID: 728
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service #5
Service Name: HCLInetd
Display Name: Hummingbird Inetd
Start Mode: Auto
Start Name: LocalSystem
Description: Hummingbird ...
Service Type: Own Process
Path: c:\winnt\system32\hummbird\inetd32.exe
State: Running
Process ID: 744
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: ICEM CFD FLEXlm Manager
Display Name: ICEM CFD FLEXlm Manager
Start Mode: Auto
Start Name: LocalSystem
Description: ICEM CFD FLEXlm ...
Service Type: Own Process
Path: c:\icemcfd\4.2-win\lic\lmgrd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Machine Debug ...
Service Type: Own Process
Path: "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 792
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 8
Service Name: r_server
Display Name: Remote Administrator Service
Start Mode: Auto
Start Name: LocalSystem
Description: Remote Administrator ...
Service Type: Own Process
Path: "c:\winnt\media\svchost.exe" /service
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 9
Service Name: SavRoam
Display Name: SAVRoam
Start Mode: Manual
Start Name: LocalSystem
Description: SAVRoam...
Service Type: Own Process
Path: "c:\program files\symantec antivirus\savroam.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 10
Service Name: SNDSrvc
Display Name: Symantec Network Drivers Service
Start Mode: Manual
Start Name: LocalSystem
Description: Symantec Network Drivers ...
Service Type: Own Process
Path: "c:\program files\common files\symantec shared\sndsrvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 11
Service Name: Symantec AntiVirus
Display Name: Symantec AntiVirus
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec ...
Service Type: Own Process
Path: "c:\program files\symantec antivirus\rtvscan.exe"
State: Running
Process ID: 752
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 12
Service Name: TskMan
Display Name: Task Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Task ...
Service Type: Own Process
Path: c:\winnt\system\svchost.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 75 Win32 services on this machine.
12 were unrecognized.

Script Execution Time: 7.519531 seconds.

Let me know what needs to be done further. As for the file DNTUS26, its is an unrecognised service. We do not know anything about it. So I guess that is the hacker. Let us know what we need to do to remove it.

Regards
Akshay

guestolo · « **Reply #5 on:** February 13, 2005, 08:37:22 PM »

Let's try this
With Windows set to show Hidden files and folders

RESTART into safe mode

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Task Manager

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

Do the same for these ones too and do the same
DameWare NT Utilities 2.6
Remote Administrator Service

Stay in safe mode

Find and delete these files or folders
C:\documents and settings\icm\local settings\temp\qXeji.exe
O4 - HKLM\..\Run: [oLzIX.exe] c:\documents and settings\icm\local settings\temp\oLzIX.exe
Or better yet empty the Whole contents of that temp folder

Search for these ones and remove then
E6F1873B.DLL
D9EBC318C
D0CE0C16B1

C:\Documents and Settings\icm\Application Data\rprn.exe
C:\WINNT\system32\msnmgr.exe <--this file, doesn't look in the right directory, can you right click on it and look at the properties
Date created and version tab
I would send it to the recycle bin

C:\WINNT\system32\r?ndll32.exe <--file, careful, there is a legit rundll32.exe
About 36 kb in size<<Don't delete this one
The bad guy will probably be bigger in size

Navigate to this file
C:\WINNT\SYSTEM32\DNTUS26.EXE Right click on it and rename it too
DNTUS26.EX_
That should disable the file>>It may be legit

Stay in safe mode

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ddhqvkommmmlvpukttjl.com/SNmLeL...ED_mh25BP8l.jsp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FBD58107-69CA-161F-B7D9-16640CDD18C0} - C:\WINNT\system32\itqb.dll (file missing)

O4 - HKLM\..\Run: [qXeji.exe] C:\documents and settings\icm\local settings\temp\qXeji.exe
O4 - HKLM\..\Run: [oLzIX.exe] c:\documents and settings\icm\local settings\temp\oLzIX.exe

O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Windows NT Service Name] msnmgr.exe
O4 - HKLM\..\RunServices: [Windows NT Service Name] msnmgr.exe

O4 - HKCU\..\Run: [Aels] C:\Documents and Settings\icm\Application Data\rprn.exe
O4 - HKCU\..\Run: [Aiokuyk] C:\WINNT\system32\r?ndll32.exe

O4 - Startup: DLHelperEXE.exe

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB

O23 - Service: Remote Administrator Service - Unknown - C:\WINNT\Media\svchost.exe (file missing)
O23 - Service: Task Manager - Unknown - C:\WINNT\system\svchost.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Post back a fresh hijackthis log afterwards

P.S
Concerning this entry
O23 - Service: Remote Administrator Service - Unknown - C:\WINNT\Media\svchost.exe (file missing)
There is a legit program>> part of a remote administrator application that allows a user to work on one or more remote computers.. Famatech application
The legit version looks like this
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\System32\r_server.exe

Could you also check into this one for me please
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\icm\Desktop\CWShredder.exe
CWShredder is legit, and is maintained by Intermute, I've just never seen it run as a service before
Can you right click on CWShredder.exe
Under properties, ensure it is related too Intermute
When was the date created
Did you put CWShredder on the machine?

asquare · « **Reply #6 on:** February 14, 2005, 10:30:54 AM »

Hi,
Finally after all your requested operations. here is the updated highjackthis log file:

Logfile of HijackThis v1.99.0
Scan saved at 10:35:47 AM, on 2/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\a2\a2guard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\icm\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINNT\_MWOLTB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...com/USA/fly.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} (XView Class) - http://download.actify.com/SpinFire/SFViewerWeb.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/ve...n7/dlhelper.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\icm\Desktop\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXlm server for PTC - Unknown - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Hummingbird Inetd - Hummingbird Communications Ltd. - C:\WINNT\System32\Hummbird\inetd32.exe
O23 - Service: ICEM CFD FLEXlm Manager - Unknown - C:\icemcfd\4.2-win\lic\lmgrd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Also CWShredder.exe was installed by me on this machine on Monday, February 07, 2005, 1:35:56 PM

And yes it is related to and maintained by Intermute.

Let me know if anything else needs to be done.

Regards
Akshay

asquare · « **Reply #7 on:** February 14, 2005, 09:11:58 PM »

Hi,

Eventhough I have disabled the services related with DNTUS26 and Remote Administrator Service, I still received a few scans of the machine on port 445. This happened right at the time when I was disabling the services.

Kindly let me know if there are still any malware existing or if any security loops need to be fixed with installing security updates from windows.

Regards
Akshay

asquare · « **Reply #8 on:** February 18, 2005, 03:36:24 PM »

Hi Guestolo,
I was wondering if anything else needs to be done to make system free of the remote loggers.

Let me know.

Regards
Akshay

guestolo · « **Reply #9 on:** February 18, 2005, 04:51:46 PM »

I'm still curious as to why CWShredder has to run as a Service

O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\icm\Desktop\CWShredder.exe
Can you shed some insight on this?
When you tried CWShredder, did you just download the Standalone version?
Or with SpySubtract?
=====================================================
EDIT>>It's also come to my attention, that having CWShredder as a service is This is a part of Intermute's doing
To help fix problems on startup, which will keep running until the problem is fixed
Or it could be a false positive by CWShredder
Can you have Hijackthis fix that 023 line and then Restart your computer
As a double check
Download and save to desktop
VX2 finder.exe
Open it and "Click to find VX2.BetterInternet"
Make a log and post it
=======================================================

You could
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back with the contents
Update your version of Hijacthis and post the log
You can get the latest version from my Signature below
Also make another log with ServiceFilter and post the Post_This.txt

TheTechGuide Forum

News:

Author Topic: another computer another popup problem (Read 1733 times)

asquare

another computer another popup problem

guestolo

another computer another popup problem

asquare

another computer another popup problem

guestolo

another computer another popup problem

asquare

another computer another popup problem

guestolo

another computer another popup problem

asquare

another computer another popup problem

asquare

another computer another popup problem

asquare

another computer another popup problem

guestolo

another computer another popup problem