My hijack log - Please reply as soon as possible

bassey · 07-25-2006, 12:59 PM

Hi
There is a RIDICULOUS amount of traffic coming from my computer going to all sorts of wierd ip addresses, It is affecting all the other systems on my lan.
I ran the housecall trendmicro online scan and some adware and malware were found however it was unable to repair/delete them all.
Here is my hijackthis log, Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 8:56:37 PM, on 7/25/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\RW5naW5lZXJpbmc\command.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Network Monitor\netmon.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\WINDOWS\winlogon.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\WINDOWS\imapi.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\WINDOWS\system32\winsock2.6.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\winsock2.6.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe
c:\nwnmef_7.exe
c:\dfndref_7.exe
c:\kybrdef_7.exe
c:\kybrdef_7.exe
c:\ac3_0010.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Administrator\Desktop\junk\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=explorer.exe winsock2.6.exe
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7979C1A1-C0AC-46F4-AFD1-E430EBFDE131} - C:\Program Files (x86)\Outlook Express\horefozep.dll (file missing)
O4 - HKLM\..\Run: [winsockdriver] winsock2.6.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe
O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe
O4 - HKLM\..\Run: [mmvece13] RUNDLL32.EXE w07029be.dll,n 001ece120000000a07029be
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [winsockdriver] winsock2.6.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.219.193.191,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\fscaayv.dll (file missing)
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dicbccd.dll (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\cktdll.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\wztdecod.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\wfwfaxui.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\clmsnap.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\wgapi.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Windows Process Viewer (The Windows Process Viewer) - Unknown owner - C:\WINDOWS\winlogon.exe
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows DVD Burning Software (Windows CDR n DVD Burning Software) - Unknown owner - C:\WINDOWS\imapi.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

I have deleted:
c:\nwnmef_7.exe
c:\dfndref_7.exe
c:\kybrdef_7.exe
c:\kybrdef_7.exe
a million times, but they just keep coming back.

bassey · 07-25-2006, 11:43 PM

Anyone?

bassey · 07-27-2006, 02:19 AM

bump.

Vikesrock8411 · 07-28-2006, 03:34 PM

I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
Cleanup!- Install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.
Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=explorer.exe winsock2.6.exe
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: (no name) - {7979C1A1-C0AC-46F4-AFD1-E430EBFDE131} - C:\Program Files (x86)\Outlook Express\horefozep.dll (file missing)
O4 - HKLM\..\Run: [winsockdriver] winsock2.6.exe
O4 - HKLM\..\Run: [mmvece13] RUNDLL32.EXE w07029be.dll,n 001ece120000000a07029be
O4 - HKCU\..\RunOnce: [winsockdriver] winsock2.6.exe
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\fscaayv.dll (file missing)
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dicbccd.dll (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\cktdll.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\wztdecod.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\wfwfaxui.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\clmsnap.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\wgapi.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
winsock2.6.exe <<Find via Start>Search

Please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked.

Click OK
Press the CleanUp! button to start the program. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

Ewido Log
Panda Activescan Log
A new Hijackthis! Log

bassey · 07-31-2006, 06:44 AM

Thanks Vikesrock8411

I couldn't run ewido because my system is 64bits :-(
However I did everything else you asked me to do. Here are my HJT and active scan reports:

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 2:38:33 PM, on 7/31/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\WINDOWS\winlogon.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\junk\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.220.50.236:3126
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\slqonkk.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Activescan:

Incident Status Location

Adware:Adware/DollarRevenue Not disinfected C:\dfndref_7.exe
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\Virus removal\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WHA7OH6R\drsmartload[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe
Adware:adware/dollarrevenue Not disinfected C:\drsmartload45a7i.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload46a7i.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload849a7i.exe
Adware:Adware/Look2Me Not disinfected C:\Installer3.exe
Adware:Adware/DollarRevenue Not disinfected C:\kybrdef_7.exe
Adware:Adware/ISearch Not disinfected C:\MTE3NDI6ODoxNg.exe
Adware:Adware/Ucmore Not disinfected C:\Program Files (x86)\TheSearchAccelerator\IUCmore.dll
Adware:Adware/Ucmore Not disinfected C:\Program Files (x86)\TheSearchAccelerator\UCMTSAIE.dll
Adware:Adware/Ucmore Not disinfected C:\ucmoreiex.exe
Adware:Adware/Look2Me Not disinfected C:\warebundlenewer.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\byxwutt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\byxwxvs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbxwwvt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcbbyv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcyvsp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hggecaw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hgggffc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkjijh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkllmj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\khfcdbc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjghgd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjhgdc.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\mmvece13.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnkjgg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnkkhh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnkige.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnnnmk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnonmj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pmnklkl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qommmlk.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\slqonkk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqnmmk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tuvvwvs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqronm.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\w07029be.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvutqrs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvuuuvw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xxyvtur.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xxywwxu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yaywurp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayxuro.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\byxwutt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\byxwxvs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\cbxwwvt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ddcbbyv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ddcyvsp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\hggecaw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\hgggffc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\jkkjijh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\jkkllmj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\khfcdbc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ljjghgd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ljjhgdc.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\SysWOW64\mmvece13.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\nnnkjgg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\nnnkkhh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\opnkige.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\opnnnmk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\opnonmj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\pmnklkl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\qommmlk.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SysWOW64\slqonkk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ssqnmmk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\tuvvwvs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\urqronm.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\SysWOW64\w07029be.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\wvutqrs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\wvuuuvw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\xxyvtur.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\xxywwxu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\yaywurp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\yayxuro.dll
Adware:adware/yoursearchengine Not disinfected C:\WINDOWS\winlogon.exe

Vikesrock8411 · 07-31-2006, 12:13 PM

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\dfndref_7.exe
C:\drsmartload.exe
C:\drsmartload1.exe
C:\drsmartload45a7i.exe
C:\drsmartload46a7i.exe
C:\drsmartload849a7i.exe
C:\Installer3.exe
C:\kybrdef_7.exe
C:\MTE3NDI6ODoxNg.exe
C:\ucmoreiex.exe
C:\warebundlenewer.exe
C:\WINDOWS\system32\w07029be.dll
C:\WINDOWS\system32\mmvece13.dll
C:\WINDOWS\SysWOW64\mmvece13.dll
C:\WINDOWS\SysWOW64\w07029be.dll
C:\WINDOWS\winlogon.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click No at the 'Pending Operations prompt'.

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:WindowsSystem32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

bassey · 08-01-2006, 02:19 AM

Thanks,
Here are my logs. VundoFix didn't find any infections.

HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 10:08:18 AM, on 8/1/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\nwnmff_7.exe
C:\dfndrff_7.exe
C:\kybrdff_7.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Network Monitor\netmon.exe
C:\WINDOWS\RW5naW5lZXJpbmc\command.exe
C:\Program Files (x86)\SNMPc Network Manager\snmpc32.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\nwnmff_7.exe
C:\dfndrff_7.exe
C:\kybrdff_7.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\Documents and Settings\Administrator\Desktop\junk\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.220.50.236:3126
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\vuipxspx.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\wunnls.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RW5naW5lZXJpbmc\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files (x86)\Network Monitor\netmon.exe
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

LOOK2ME DESTROYER
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/1/2006 9:37:03 AM

Infected! C:\WINDOWS\system32\slqonkk.dll
Infected! C:\WINDOWS\system32\slqonkk.dll
Infected! C:\WINDOWS\SysWOW64\slqonkk.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\slqonkk.dll
C:\WINDOWS\system32\slqonkk.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\slqonkk.dll
C:\WINDOWS\system32\slqonkk.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SysWOW64\slqonkk.dll
C:\WINDOWS\SysWOW64\slqonkk.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3C122DE4-F17A-47BF-B9BC-35902B3662B2}"
HKCR\Clsid\{3C122DE4-F17A-47BF-B9BC-35902B3662B2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B20F1499-0AD9-4425-958E-A6AE37A8D6C4}"
HKCR\Clsid\{B20F1499-0AD9-4425-958E-A6AE37A8D6C4}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{68FE2EB6-9543-466D-B044-897A9B051D9A}"
HKCR\Clsid\{68FE2EB6-9543-466D-B044-897A9B051D9A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B2FB7856-E4FE-41F6-9119-83906577E6E5}"
HKCR\Clsid\{B2FB7856-E4FE-41F6-9119-83906577E6E5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5B5EE3C0-93C7-45D3-B78A-8B1660A3A3E5}"
HKCR\Clsid\{5B5EE3C0-93C7-45D3-B78A-8B1660A3A3E5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{81C486DE-A2F6-4674-90B2-DE8C408F2892}"
HKCR\Clsid\{81C486DE-A2F6-4674-90B2-DE8C408F2892}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8D24D206-3028-4892-9E2F-BBCE7D12A07F}"
HKCR\Clsid\{8D24D206-3028-4892-9E2F-BBCE7D12A07F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{731CC555-28C5-43B9-B63B-0341023C8070}"
HKCR\Clsid\{731CC555-28C5-43B9-B63B-0341023C8070}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B01FCC27-1BCA-481E-ADD5-A56465A55CCC}"
HKCR\Clsid\{B01FCC27-1BCA-481E-ADD5-A56465A55CCC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23F4CA95-11B7-4878-B600-785D1A667AA2}"
HKCR\Clsid\{23F4CA95-11B7-4878-B600-785D1A667AA2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{71C1B830-E372-4AA4-9CF5-D312F09BFC37}"
HKCR\Clsid\{71C1B830-E372-4AA4-9CF5-D312F09BFC37}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6124AA6B-3227-4014-B553-F0AF81058A04}"
HKCR\Clsid\{6124AA6B-3227-4014-B553-F0AF81058A04}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C8F2A560-C075-4AB5-9C09-6B7C8FA3B64C}"
HKCR\Clsid\{C8F2A560-C075-4AB5-9C09-6B7C8FA3B64C}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Vikesrock8411 · 08-01-2006, 12:28 PM

Something is regenerating your infections quite rapidly, so we will try to take everything out in one pass. I want to make sure we get all of it so I would like you to run another online scan before we begin.

Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

sUBs · 08-04-2006, 06:17 PM

Kaspersky online scanner will be down until next week.
Please use this instead -

* Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

bassey · 08-05-2006, 05:24 AM

Here are the results of the scan:

Result: 46 malware found
Backdoor.Win32.SdBot.xd (virus)
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\012L4N6P\PINKPIG[1].EXE (Renamed)
CmdServices (spyware)
System (Disinfected)
CoolWebSearch (spyware)
System (Disinfected)
Packed.Win32.CryptExe (virus)
C:\PIC4312.COM (Submitted)
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
Trojan-Clicker.Win32.VB.ly (virus)
C:\DFNDRFF_7.EXE (Renamed)
C:\DFNDRFG_7.EXE (Renamed)
Trojan-Downloader.Win32.Adload.db (virus)
C:\DRSMARTLOAD45A7I.EXE (Renamed)
C:\DRSMARTLOAD45A8A.EXE (Renamed)
C:\DRSMARTLOAD46A7I.EXE (Renamed)
C:\DRSMARTLOAD46A8A.EXE (Renamed)
C:\DRSMARTLOAD849A7I.EXE (Renamed)
C:\DRSMARTLOAD849A8A.EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y3A72TMF\DRSMARTLOAD45A[1].EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y3A72TMF\DRSMARTLOAD849A[1].EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4S34W9GS\DRSMARTLOAD46A[1].EXE (Renamed)
Trojan-Downloader.Win32.Adload.de (virus)
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WHA7OH6R\DRSMARTLOAD[1].EXE (Renamed)
Trojan-Downloader.Win32.Adload.dh (virus)
C:\KYBRDFG_7.EXE (Renamed)
Trojan-Downloader.Win32.Adload.di (virus)
C:\DRSMARTLOAD.EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4S34W9GS\LOADER[1].EXE (Renamed)
Trojan-Downloader.Win32.Adload.dj (virus)
C:\NWNMFF_7.EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\012L4N6P\NWNMFF_7[1].EXE (Renamed)
Trojan-Downloader.Win32.Adload.dk (virus)
C:\WINDOWS\SYSWOW64\CONFIG\DRXVP.EXE (Renamed)
C:\WINDOWS\SYSTEM32\CONFIG\DRXVP.EXE
Trojan-Downloader.Win32.Adload.dl (virus)
C:\KYBRDFF_7.EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XQTY3MP\KYBRDFF_7[1].EXE (Renamed)
Trojan-Downloader.Win32.Small.buy (virus)
C:\MTE3NDI6ODOXNG.EXE (Renamed)
Trojan-Downloader.Win32.Small.cyh (virus)
C:\AC3_0010.EXE (Renamed)
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\012L4N6P\AC3_0010[1].EXE (Renamed)
Trojan-Downloader.Win32.VB.aiy (virus)
C:\NWNMEF_7.EXE (Renamed)
C:\NWNMFG_7.EXE (Renamed)
UCmore (spyware)
System (Disinfected)
W32/NetMon.C (virus)
C:\PROGRAM FILES (X86)\NETWORK MONITOR\NETMON.EXE
Win32.Trojan.Downloader (spyware)
System (Disinfected)
win32.Trojan.Dnschanger (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28305
System: 10824
Not scanned: 3
Actions:
Disinfected: 7
Renamed: 26
Deleted: 0
None: 13
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\416
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{29E7E870-71A3-4FBC-9C0B-9F5849239AFD}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-08-04
F-Secure Libra: 2.4.1, 2006-08-02
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Orion: 1.2.37, 2006-08-04
F-Secure Draco: 1.0.35, 0259-24-212
F-Secure Pegasus: 1.19.0, 2006-06-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

Thank you

Vikesrock8411 · 08-05-2006, 10:59 PM

It looks like the F-Secure scanner fixed a lot of malware. Please run a new scan with Hijackthis and post the log here.

Please download the file update.zip. Unzip it to your desktop and double click on update.reg. Click Yes to merge the info into your registry.

bassey · 08-06-2006, 11:31 AM

Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:28:17 PM, on 8/6/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\RW5naW5lZXJpbmc\command.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files (x86)\Network Monitor\netmon.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Documents and Settings\Administrator\Desktop\putty.exe
C:\Program Files (x86)\Microsoft Office\Office10\MSACCESS.EXE
D:\tools\jre\bin\javaw.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\Documents and Settings\Administrator\Desktop\Virus removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.211.102.142:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\vuipxspx.dll (file missing)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\wunnls.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files (x86)\Network Monitor\netmon.exe (file missing)
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Thank you so much

Vikesrock8411 · 08-07-2006, 07:22 PM

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\vuipxspx.dll (file missing)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\wunnls.dll (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files (x86)\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe (file missing)
Please remember to close all other windows, including browsers then click Fix checked.

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\WINDOWS\system32\byxwutt.dll
C:\WINDOWS\system32\byxwxvs.dll
C:\WINDOWS\system32\cbxwwvt.dll
C:\WINDOWS\system32\ddcbbyv.dll
C:\WINDOWS\system32\ddcyvsp.dll
C:\WINDOWS\system32\hggecaw.dll
C:\WINDOWS\system32\hgggffc.dll
C:\WINDOWS\system32\jkkjijh.dll
C:\WINDOWS\system32\jkkllmj.dll
C:\WINDOWS\system32\khfcdbc.dll
C:\WINDOWS\system32\ljjghgd.dll
C:\WINDOWS\system32\ljjhgdc.dll
C:\WINDOWS\system32\nnnkjgg.dll
C:\WINDOWS\system32\nnnkkhh.dll
C:\WINDOWS\system32\opnkige.dll
C:\WINDOWS\system32\opnnnmk.dll
C:\WINDOWS\system32\opnonmj.dll
C:\WINDOWS\system32\pmnklkl.dll
C:\WINDOWS\system32\qommmlk.dll
C:\WINDOWS\system32\ssqnmmk.dll
C:\WINDOWS\system32\tuvvwvs.dll
C:\WINDOWS\system32\urqronm.dll
C:\WINDOWS\system32\wvutqrs.dll
C:\WINDOWS\system32\wvuuuvw.dll
C:\WINDOWS\system32\xxyvtur.dll
C:\WINDOWS\system32\xxywwxu.dll
C:\WINDOWS\system32\yaywurp.dll
C:\WINDOWS\system32\yayxuro.dll
C:\WINDOWS\SysWOW64\byxwutt.dll
C:\WINDOWS\SysWOW64\byxwxvs.dll
C:\WINDOWS\SysWOW64\cbxwwvt.dll
C:\WINDOWS\SysWOW64\ddcbbyv.dll
C:\WINDOWS\SysWOW64\ddcyvsp.dll
C:\WINDOWS\SysWOW64\hggecaw.dll
C:\WINDOWS\SysWOW64\hgggffc.dll
C:\WINDOWS\SysWOW64\jkkjijh.dll
C:\WINDOWS\SysWOW64\jkkllmj.dll
C:\WINDOWS\SysWOW64\khfcdbc.dll
C:\WINDOWS\SysWOW64\ljjghgd.dll
C:\WINDOWS\SysWOW64\ljjhgdc.dll
C:\WINDOWS\SysWOW64\nnnkjgg.dll
C:\WINDOWS\SysWOW64\nnnkkhh.dll
C:\WINDOWS\SysWOW64\opnkige.dll
C:\WINDOWS\SysWOW64\opnnnmk.dll
C:\WINDOWS\SysWOW64\opnonmj.dll
C:\WINDOWS\SysWOW64\pmnklkl.dll
C:\WINDOWS\SysWOW64\qommmlk.dll
C:\WINDOWS\SysWOW64\ssqnmmk.dll
C:\WINDOWS\SysWOW64\tuvvwvs.dll
C:\WINDOWS\SysWOW64\urqronm.dll
C:\WINDOWS\SysWOW64\wvutqrs.dll
C:\WINDOWS\SysWOW64\wvuuuvw.dll
C:\WINDOWS\SysWOW64\xxyvtur.dll
C:\WINDOWS\SysWOW64\xxywwxu.dll
C:\WINDOWS\SysWOW64\yaywurp.dll
C:\WINDOWS\SysWOW64\yayxuro.dll
C:\WINDOWS\RW5naW5lZXJpbmc\command.exe
C:\WINDOWS\SYSTEM32\CONFIG\DRXVP.EXE
C:\PROGRAM FILES (X86)\NETWORK MONITOR\NETMON.EXE

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Run a new scan with Hijackthis and post the log here.

bassey · 08-08-2006, 03:04 AM

Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:38 AM, on 8/8/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\Administrator\Desktop\Virus removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.211.102.142:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Thanks,
Bassey

Vikesrock8411 · 08-08-2006, 01:10 PM

Looks like we might have got them all

At the end of this post I'll have you run Panda again just to be sure.

I do not see an Antivirus program in you log. Please download one from the following list, install it, and run a scan. Fix anything it finds.

A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

I see you do not have a Firewall installed on your system. The Windows firewall does a poor job of protecting a system because it only monitors the traffic coming in and not going out.

Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

Panda Activescan Log
A new Hijackthis! Log

bassey · 08-09-2006, 03:30 AM

Yeah, I know I should get an antivirus but the challenge I have it that my computer is a 64bit system and nothing seems to be compatible. I however did notice on the Avast web site that they support the 64 bit architecture so I'll download and install it. Thank you so much.

Here is the activescan report:

Incident Status Location

Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
Adware:adware/ucmore Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator
Spyware:Spyware/Virtumonde Not disinfected C:\!Submit\byxwutt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\abcd.exe[pnky.exe]
Adware:Adware/DollarRevenue Not disinfected C:\AC3_0010.0XE
Adware:Adware/DollarRevenue Not disinfected C:\DFNDRFF_7.0XE
Adware:Adware/DollarRevenue Not disinfected C:\DFNDRFG_7.0XE
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\Virus removal\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4S34W9GS\DRSMARTLOAD46A[1].0XE
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4S34W9GS\LOADER[1].0XE
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:22:27 AM, on 8/9/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Virus removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.211.102.142:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Vikesrock8411 · 08-09-2006, 11:48 AM

It definitely didn't respawn this time

Open Internet Explorer and click Tools->Internet Options. On the General tab click the Delete Cookies button. Then click the Delete Files button. Click OK twice and close IE.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\windows\keyboard1.dat
c:\windows\uninstall_nmon.vbs
C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator
C:\abcd.exe

Then do a search for *.0xe following and delete all files found (thats a zero not an 'o'.)

Post a new Hijackthis log and let me know how the omcputer is running.

bassey · 08-10-2006, 05:34 AM

My computer seems to be running well :-)

Here is the HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:29:37 PM, on 8/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe
C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe
C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe
C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe
C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
c:\program files (x86)\snmpc network manager\crserv.exe
c:\program files (x86)\snmpc network manager\discagt.exe
c:\program files (x86)\snmpc network manager\hist32.exe
c:\program files (x86)\snmpc network manager\bkserv.exe
C:\NetProvision\tomcat\bin\tomcat.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files (x86)\snmpc network manager\startupcfg.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Virus removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 111.222.333.444:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe
O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe
O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe
O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Thanks

Vikesrock8411 · 08-10-2006, 12:05 PM

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

bassey · 08-11-2006, 12:05 AM

Thank you soo much. You all are stars!!!

I have installed AVG Antivirus and I'm in the process of downloading the zone lab firewall. I will be switching to firefox as well.

Thanks again for all your help :-)

07-25-2006, 12:59 PM	#1 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	My hijack log - Please reply as soon as possible Hi There is a RIDICULOUS amount of traffic coming from my computer going to all sorts of wierd ip addresses, It is affecting all the other systems on my lan. I ran the housecall trendmicro online scan and some adware and malware were found however it was unable to repair/delete them all. Here is my hijackthis log, Thanks in advance Logfile of HijackThis v1.99.1 Scan saved at 8:56:37 PM, on 7/25/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\WINDOWS\RW5naW5lZXJpbmc\command.exe C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\Network Monitor\netmon.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\WINDOWS\winlogon.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\WINDOWS\imapi.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\WINDOWS\system32\winsock2.6.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe C:\WINDOWS\SysWOW64\ctfmon.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\winsock2.6.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe c:\nwnmef_7.exe c:\dfndref_7.exe c:\kybrdef_7.exe c:\kybrdef_7.exe c:\ac3_0010.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Documents and Settings\Administrator\Desktop\junk\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: Shell=explorer.exe winsock2.6.exe F2 - REG:system.ini: UserInit=userinit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7979C1A1-C0AC-46F4-AFD1-E430EBFDE131} - C:\Program Files (x86)\Outlook Express\horefozep.dll (file missing) O4 - HKLM\..\Run: [winsockdriver] winsock2.6.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe O4 - HKLM\..\Run: [mmvece13] RUNDLL32.EXE w07029be.dll,n 001ece120000000a07029be O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [winsockdriver] winsock2.6.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.219.193.191,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\fscaayv.dll (file missing) O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dicbccd.dll (file missing) O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\cktdll.dll (file missing) O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\wztdecod.dll (file missing) O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\wfwfaxui.dll (file missing) O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\clmsnap.dll (file missing) O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\wgapi.dll (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Windows Process Viewer (The Windows Process Viewer) - Unknown owner - C:\WINDOWS\winlogon.exe O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: Windows DVD Burning Software (Windows CDR n DVD Burning Software) - Unknown owner - C:\WINDOWS\imapi.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing) I have deleted: c:\nwnmef_7.exe c:\dfndref_7.exe c:\kybrdef_7.exe c:\kybrdef_7.exe a million times, but they just keep coming back. Last edited by bassey; 07-25-2006 at 01:11 PM.

07-28-2006, 03:34 PM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) Cleanup!- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: Shell=explorer.exe winsock2.6.exe F2 - REG:system.ini: UserInit=userinit O2 - BHO: (no name) - {7979C1A1-C0AC-46F4-AFD1-E430EBFDE131} - C:\Program Files (x86)\Outlook Express\horefozep.dll (file missing) O4 - HKLM\..\Run: [winsockdriver] winsock2.6.exe O4 - HKLM\..\Run: [mmvece13] RUNDLL32.EXE w07029be.dll,n 001ece120000000a07029be O4 - HKCU\..\RunOnce: [winsockdriver] winsock2.6.exe O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\fscaayv.dll (file missing) O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dicbccd.dll (file missing) O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\cktdll.dll (file missing) O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\wztdecod.dll (file missing) O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\wfwfaxui.dll (file missing) O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\clmsnap.dll (file missing) O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\wgapi.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. winsock2.6.exe <<Find via Start>Search Please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked. Click OK Press the CleanUp!* button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: Ewido Log Panda Activescan Log A new Hijackthis! Log __________________

07-31-2006, 06:44 AM	#5 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Thanks Vikesrock8411 I couldn't run ewido because my system is 64bits :-( However I did everything else you asked me to do. Here are my HJT and active scan reports: HJT: Logfile of HijackThis v1.99.1 Scan saved at 2:38:33 PM, on 7/31/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\WINDOWS\winlogon.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\SysWOW64\ctfmon.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Desktop\junk\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.220.50.236:3126 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\slqonkk.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing) Activescan: Incident Status Location Adware:Adware/DollarRevenue Not disinfected C:\dfndref_7.exe Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\Virus removal\SmitfraudFix.zip[SmitfraudFix/Process.exe] Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WHA7OH6R\drsmartload[1].exe Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk Adware:Adware/DollarRevenue Not disinfected C:\drsmartload.exe Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe Adware:adware/dollarrevenue Not disinfected C:\drsmartload45a7i.exe Adware:Adware/DollarRevenue Not disinfected C:\drsmartload46a7i.exe Adware:Adware/DollarRevenue Not disinfected C:\drsmartload849a7i.exe Adware:Adware/Look2Me Not disinfected C:\Installer3.exe Adware:Adware/DollarRevenue Not disinfected C:\kybrdef_7.exe Adware:Adware/ISearch Not disinfected C:\MTE3NDI6ODoxNg.exe Adware:Adware/Ucmore Not disinfected C:\Program Files (x86)\TheSearchAccelerator\IUCmore.dll Adware:Adware/Ucmore Not disinfected C:\Program Files (x86)\TheSearchAccelerator\UCMTSAIE.dll Adware:Adware/Ucmore Not disinfected C:\ucmoreiex.exe Adware:Adware/Look2Me Not disinfected C:\warebundlenewer.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\byxwutt.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\byxwxvs.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbxwwvt.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcbbyv.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcyvsp.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hggecaw.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hgggffc.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkjijh.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkllmj.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\khfcdbc.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjghgd.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjhgdc.dll Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\mmvece13.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnkjgg.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnkkhh.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnkige.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnnnmk.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnonmj.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pmnklkl.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qommmlk.dll Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\slqonkk.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqnmmk.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tuvvwvs.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqronm.dll Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\w07029be.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvutqrs.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvuuuvw.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xxyvtur.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xxywwxu.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yaywurp.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayxuro.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\byxwutt.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\byxwxvs.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\cbxwwvt.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ddcbbyv.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ddcyvsp.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\hggecaw.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\hgggffc.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\jkkjijh.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\jkkllmj.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\khfcdbc.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ljjghgd.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ljjhgdc.dll Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\SysWOW64\mmvece13.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\nnnkjgg.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\nnnkkhh.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\opnkige.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\opnnnmk.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\opnonmj.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\pmnklkl.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\qommmlk.dll Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SysWOW64\slqonkk.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\ssqnmmk.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\tuvvwvs.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\urqronm.dll Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\SysWOW64\w07029be.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\wvutqrs.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\wvuuuvw.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\xxyvtur.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\xxywwxu.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\yaywurp.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SysWOW64\yayxuro.dll Adware:adware/yoursearchengine Not disinfected C:\WINDOWS\winlogon.exe Last edited by bassey; 07-31-2006 at 07:11 AM.

07-31-2006, 12:13 PM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) Launch KillBox.exe & select the following options: delete on Reboot Select all the filenames below & then right-click & select Copy C:\dfndref_7.exe C:\drsmartload.exe C:\drsmartload1.exe C:\drsmartload45a7i.exe C:\drsmartload46a7i.exe C:\drsmartload849a7i.exe C:\Installer3.exe C:\kybrdef_7.exe C:\MTE3NDI6ODoxNg.exe C:\ucmoreiex.exe C:\warebundlenewer.exe C:\WINDOWS\system32\w07029be.dll C:\WINDOWS\system32\mmvece13.dll C:\WINDOWS\SysWOW64\mmvece13.dll C:\WINDOWS\SysWOW64\w07029be.dll C:\WINDOWS\winlogon.exe * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click No at the 'Pending Operations prompt'. Please download Look2Me-Destroyer.exe to your desktop. Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:WindowsSystem32 Directory. http://www.ascentive.com/support/new...b/MSWINSCK.OCX Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. __________________

08-01-2006, 12:28 PM	#8 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Something is regenerating your infections quite rapidly, so we will try to take everything out in one pass. I want to make sure we get all of it so I would like you to run another online scan before we begin. Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________

07-25-2006, 11:43 PM	#2 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Anyone?

07-27-2006, 02:19 AM	#3 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	bump.

08-01-2006, 02:19 AM	#7 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Thanks, Here are my logs. VundoFix didn't find any infections. HIJACKTHIS Logfile of HijackThis v1.99.1 Scan saved at 10:08:18 AM, on 8/1/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\nwnmff_7.exe C:\dfndrff_7.exe C:\kybrdff_7.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Network Monitor\netmon.exe C:\WINDOWS\RW5naW5lZXJpbmc\command.exe C:\Program Files (x86)\SNMPc Network Manager\snmpc32.exe C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\nwnmff_7.exe C:\dfndrff_7.exe C:\kybrdff_7.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\Documents and Settings\Administrator\Desktop\junk\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.220.50.236:3126 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\vuipxspx.dll O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\wunnls.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RW5naW5lZXJpbmc\command.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files (x86)\Network Monitor\netmon.exe O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe (file missing) O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing) LOOK2ME DESTROYER Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 8/1/2006 9:37:03 AM Infected! C:\WINDOWS\system32\slqonkk.dll Infected! C:\WINDOWS\system32\slqonkk.dll Infected! C:\WINDOWS\SysWOW64\slqonkk.dll Attempting to delete infected files... Attempting to delete: C:\WINDOWS\system32\slqonkk.dll C:\WINDOWS\system32\slqonkk.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\slqonkk.dll C:\WINDOWS\system32\slqonkk.dll Deleted successfully! Attempting to delete: C:\WINDOWS\SysWOW64\slqonkk.dll C:\WINDOWS\SysWOW64\slqonkk.dll Deleted successfully! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3C122DE4-F17A-47BF-B9BC-35902B3662B2}" HKCR\Clsid\{3C122DE4-F17A-47BF-B9BC-35902B3662B2} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B20F1499-0AD9-4425-958E-A6AE37A8D6C4}" HKCR\Clsid\{B20F1499-0AD9-4425-958E-A6AE37A8D6C4} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{68FE2EB6-9543-466D-B044-897A9B051D9A}" HKCR\Clsid\{68FE2EB6-9543-466D-B044-897A9B051D9A} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B2FB7856-E4FE-41F6-9119-83906577E6E5}" HKCR\Clsid\{B2FB7856-E4FE-41F6-9119-83906577E6E5} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5B5EE3C0-93C7-45D3-B78A-8B1660A3A3E5}" HKCR\Clsid\{5B5EE3C0-93C7-45D3-B78A-8B1660A3A3E5} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{81C486DE-A2F6-4674-90B2-DE8C408F2892}" HKCR\Clsid\{81C486DE-A2F6-4674-90B2-DE8C408F2892} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8D24D206-3028-4892-9E2F-BBCE7D12A07F}" HKCR\Clsid\{8D24D206-3028-4892-9E2F-BBCE7D12A07F} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{731CC555-28C5-43B9-B63B-0341023C8070}" HKCR\Clsid\{731CC555-28C5-43B9-B63B-0341023C8070} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B01FCC27-1BCA-481E-ADD5-A56465A55CCC}" HKCR\Clsid\{B01FCC27-1BCA-481E-ADD5-A56465A55CCC} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23F4CA95-11B7-4878-B600-785D1A667AA2}" HKCR\Clsid\{23F4CA95-11B7-4878-B600-785D1A667AA2} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{71C1B830-E372-4AA4-9CF5-D312F09BFC37}" HKCR\Clsid\{71C1B830-E372-4AA4-9CF5-D312F09BFC37} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6124AA6B-3227-4014-B553-F0AF81058A04}" HKCR\Clsid\{6124AA6B-3227-4014-B553-F0AF81058A04} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C8F2A560-C075-4AB5-9C09-6B7C8FA3B64C}" HKCR\Clsid\{C8F2A560-C075-4AB5-9C09-6B7C8FA3B64C} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded

08-04-2006, 06:17 PM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Kaspersky online scanner will be down until next week. Please use this instead - * Click here to use the F-Secure Online Scanner It's explained there with images how to allow the ActiveX to start the scan, so read that first. Then click the F-Secure Online Scanner Next Generation Beta link. Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan. Click the Full System Scan button. It will start to download scanner components and databases. This can take a while. The main scan will start. Once the scan finished scanning, click the Automatic cleaning (recommended) button It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure. The cleaning can take a while, so please be patient. Then click the Show report button and copy and paste what's present under results in your next reply. __________________

08-05-2006, 05:24 AM	#10 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Here are the results of the scan: Result: 46 malware found Backdoor.Win32.SdBot.xd (virus) C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\012L4N6P\PINKPIG[1].EXE (Renamed) CmdServices (spyware) System (Disinfected) CoolWebSearch (spyware) System (Disinfected) Packed.Win32.CryptExe (virus) C:\PIC4312.COM (Submitted) Possible Browser Hijack attempt (spyware) System (Disinfected) Tracking Cookie (spyware) System (Disinfected) System System System System System System System System System System Trojan-Clicker.Win32.VB.ly (virus) C:\DFNDRFF_7.EXE (Renamed) C:\DFNDRFG_7.EXE (Renamed) Trojan-Downloader.Win32.Adload.db (virus) C:\DRSMARTLOAD45A7I.EXE (Renamed) C:\DRSMARTLOAD45A8A.EXE (Renamed) C:\DRSMARTLOAD46A7I.EXE (Renamed) C:\DRSMARTLOAD46A8A.EXE (Renamed) C:\DRSMARTLOAD849A7I.EXE (Renamed) C:\DRSMARTLOAD849A8A.EXE (Renamed) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y3A72TMF\DRSMARTLOAD45A[1].EXE (Renamed) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y3A72TMF\DRSMARTLOAD849A[1].EXE (Renamed) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4S34W9GS\DRSMARTLOAD46A[1].EXE (Renamed) Trojan-Downloader.Win32.Adload.de (virus) C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WHA7OH6R\DRSMARTLOAD[1].EXE (Renamed) Trojan-Downloader.Win32.Adload.dh (virus) C:\KYBRDFG_7.EXE (Renamed) Trojan-Downloader.Win32.Adload.di (virus) C:\DRSMARTLOAD.EXE (Renamed) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4S34W9GS\LOADER[1].EXE (Renamed) Trojan-Downloader.Win32.Adload.dj (virus) C:\NWNMFF_7.EXE (Renamed) C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\012L4N6P\NWNMFF_7[1].EXE (Renamed) Trojan-Downloader.Win32.Adload.dk (virus) C:\WINDOWS\SYSWOW64\CONFIG\DRXVP.EXE (Renamed) C:\WINDOWS\SYSTEM32\CONFIG\DRXVP.EXE Trojan-Downloader.Win32.Adload.dl (virus) C:\KYBRDFF_7.EXE (Renamed) C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XQTY3MP\KYBRDFF_7[1].EXE (Renamed) Trojan-Downloader.Win32.Small.buy (virus) C:\MTE3NDI6ODOXNG.EXE (Renamed) Trojan-Downloader.Win32.Small.cyh (virus) C:\AC3_0010.EXE (Renamed) C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\012L4N6P\AC3_0010[1].EXE (Renamed) Trojan-Downloader.Win32.VB.aiy (virus) C:\NWNMEF_7.EXE (Renamed) C:\NWNMFG_7.EXE (Renamed) UCmore (spyware) System (Disinfected) W32/NetMon.C (virus) C:\PROGRAM FILES (X86)\NETWORK MONITOR\NETMON.EXE Win32.Trojan.Downloader (spyware) System (Disinfected) win32.Trojan.Dnschanger (spyware) System (Disinfected) -------------------------------------------------------------------------------- Statistics Scanned: Files: 28305 System: 10824 Not scanned: 3 Actions: Disinfected: 7 Renamed: 26 Deleted: 0 None: 13 Submitted: 1 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\416 C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{29E7E870-71A3-4FBC-9C0B-9F5849239AFD}.BIN -------------------------------------------------------------------------------- Options Scanning engines: F-Secure AVP: 6.0.171, 2006-08-04 F-Secure Libra: 2.4.1, 2006-08-02 F-Secure Blacklight: 1.0.31, 0000-00-00 F-Secure Orion: 1.2.37, 2006-08-04 F-Secure Draco: 1.0.35, 0259-24-212 F-Secure Pegasus: 1.19.0, 2006-06-05 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX Use Advanced heuristics Thank you

08-05-2006, 10:59 PM	#11 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	It looks like the F-Secure scanner fixed a lot of malware. Please run a new scan with Hijackthis and post the log here. Please download the file update.zip. Unzip it to your desktop and double click on update.reg. Click Yes to merge the info into your registry. __________________

08-06-2006, 11:31 AM	#12 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Here is my Hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 7:28:17 PM, on 8/6/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\WINDOWS\RW5naW5lZXJpbmc\command.exe C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files (x86)\Network Monitor\netmon.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\MSSQL\Binn\sqlservr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe C:\Documents and Settings\Administrator\Desktop\putty.exe C:\Program Files (x86)\Microsoft Office\Office10\MSACCESS.EXE D:\tools\jre\bin\javaw.exe C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\Documents and Settings\Administrator\Desktop\Virus removal\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.211.102.142:8080 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\vuipxspx.dll (file missing) O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\wunnls.dll (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files (x86)\Network Monitor\netmon.exe (file missing) O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe (file missing) O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing) Thank you so much

08-07-2006, 07:22 PM	#13 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\vuipxspx.dll (file missing) O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\wunnls.dll (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files (x86)\Network Monitor\netmon.exe (file missing) O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe (file missing) Please remember to close all other windows, including browsers then click Fix checked. Launch KillBox.exe & select the following options: delete on Reboot Select all the filenames below & then right-click & select Copy C:\WINDOWS\system32\byxwutt.dll C:\WINDOWS\system32\byxwxvs.dll C:\WINDOWS\system32\cbxwwvt.dll C:\WINDOWS\system32\ddcbbyv.dll C:\WINDOWS\system32\ddcyvsp.dll C:\WINDOWS\system32\hggecaw.dll C:\WINDOWS\system32\hgggffc.dll C:\WINDOWS\system32\jkkjijh.dll C:\WINDOWS\system32\jkkllmj.dll C:\WINDOWS\system32\khfcdbc.dll C:\WINDOWS\system32\ljjghgd.dll C:\WINDOWS\system32\ljjhgdc.dll C:\WINDOWS\system32\nnnkjgg.dll C:\WINDOWS\system32\nnnkkhh.dll C:\WINDOWS\system32\opnkige.dll C:\WINDOWS\system32\opnnnmk.dll C:\WINDOWS\system32\opnonmj.dll C:\WINDOWS\system32\pmnklkl.dll C:\WINDOWS\system32\qommmlk.dll C:\WINDOWS\system32\ssqnmmk.dll C:\WINDOWS\system32\tuvvwvs.dll C:\WINDOWS\system32\urqronm.dll C:\WINDOWS\system32\wvutqrs.dll C:\WINDOWS\system32\wvuuuvw.dll C:\WINDOWS\system32\xxyvtur.dll C:\WINDOWS\system32\xxywwxu.dll C:\WINDOWS\system32\yaywurp.dll C:\WINDOWS\system32\yayxuro.dll C:\WINDOWS\SysWOW64\byxwutt.dll C:\WINDOWS\SysWOW64\byxwxvs.dll C:\WINDOWS\SysWOW64\cbxwwvt.dll C:\WINDOWS\SysWOW64\ddcbbyv.dll C:\WINDOWS\SysWOW64\ddcyvsp.dll C:\WINDOWS\SysWOW64\hggecaw.dll C:\WINDOWS\SysWOW64\hgggffc.dll C:\WINDOWS\SysWOW64\jkkjijh.dll C:\WINDOWS\SysWOW64\jkkllmj.dll C:\WINDOWS\SysWOW64\khfcdbc.dll C:\WINDOWS\SysWOW64\ljjghgd.dll C:\WINDOWS\SysWOW64\ljjhgdc.dll C:\WINDOWS\SysWOW64\nnnkjgg.dll C:\WINDOWS\SysWOW64\nnnkkhh.dll C:\WINDOWS\SysWOW64\opnkige.dll C:\WINDOWS\SysWOW64\opnnnmk.dll C:\WINDOWS\SysWOW64\opnonmj.dll C:\WINDOWS\SysWOW64\pmnklkl.dll C:\WINDOWS\SysWOW64\qommmlk.dll C:\WINDOWS\SysWOW64\ssqnmmk.dll C:\WINDOWS\SysWOW64\tuvvwvs.dll C:\WINDOWS\SysWOW64\urqronm.dll C:\WINDOWS\SysWOW64\wvutqrs.dll C:\WINDOWS\SysWOW64\wvuuuvw.dll C:\WINDOWS\SysWOW64\xxyvtur.dll C:\WINDOWS\SysWOW64\xxywwxu.dll C:\WINDOWS\SysWOW64\yaywurp.dll C:\WINDOWS\SysWOW64\yayxuro.dll C:\WINDOWS\RW5naW5lZXJpbmc\command.exe C:\WINDOWS\SYSTEM32\CONFIG\DRXVP.EXE C:\PROGRAM FILES (X86)\NETWORK MONITOR\NETMON.EXE * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Run a new scan with Hijackthis and post the log here. __________________

08-08-2006, 03:04 AM	#14 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Here is my HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 11:00:38 AM, on 8/8/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\Documents and Settings\Administrator\Desktop\Virus removal\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.211.102.142:8080 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing) Thanks, Bassey

08-08-2006, 01:10 PM	#15 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Looks like we might have got them all At the end of this post I'll have you run Panda again just to be sure. I do not see an Antivirus program in you log. Please download one from the following list, install it, and run a scan. Fix anything it finds. A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir I see you do not have a Firewall installed on your system. The Windows firewall does a poor job of protecting a system because it only monitors the traffic coming in and not going out. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Sunbelt Kerio Personal Firewall Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: Panda Activescan Log A new Hijackthis! Log __________________

08-09-2006, 03:30 AM	#16 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Yeah, I know I should get an antivirus but the challenge I have it that my computer is a 64bit system and nothing seems to be compatible. I however did notice on the Avast web site that they support the 64 bit architecture so I'll download and install it. Thank you so much. Here is the activescan report: Incident Status Location Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs Adware:adware/ucmore Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator Spyware:Spyware/Virtumonde Not disinfected C:\!Submit\byxwutt.dll Spyware:Spyware/Virtumonde Not disinfected C:\abcd.exe[pnky.exe] Adware:Adware/DollarRevenue Not disinfected C:\AC3_0010.0XE Adware:Adware/DollarRevenue Not disinfected C:\DFNDRFF_7.0XE Adware:Adware/DollarRevenue Not disinfected C:\DFNDRFG_7.0XE Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[data.coremetrics.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.statcounter.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.advertising.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\63nf3k48.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@maxserving[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\Virus removal\SmitfraudFix.zip[SmitfraudFix/Process.exe] Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4S34W9GS\DRSMARTLOAD46A[1].0XE Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4S34W9GS\LOADER[1].0XE Here is the HJT log: Logfile of HijackThis v1.99.1 Scan saved at 11:22:27 AM, on 8/9/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Desktop\Virus removal\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.211.102.142:8080 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

08-09-2006, 11:48 AM	#17 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	It definitely didn't respawn this time Open Internet Explorer and click Tools->Internet Options. On the General tab click the Delete Cookies button. Then click the Delete Files button. Click OK twice and close IE. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\keyboard1.dat c:\windows\uninstall_nmon.vbs C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator C:\abcd.exe Then do a search for *.0xe following and delete all files found (thats a zero not an 'o'.) Post a new Hijackthis log and let me know how the omcputer is running. __________________

08-10-2006, 05:34 AM	#18 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	My computer seems to be running well :-) Here is the HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 1:29:37 PM, on 8/10/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe C:\PROGRA~2\Grisoft\AVG7\avgemc.exe C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NetworkSecurityAnalyzer.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\DataCollector.exe C:\Program Files (x86)\FWASyslog\Syslog\WatchDog.exe C:\Program Files (x86)\Network Security Analyzer\FWA\Monitoring.exe C:\Program Files (x86)\FWASyslog\Syslog\syslogserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\eIQSSft\eIQftserver.exe C:\Program Files (x86)\FWASyslog\Syslog\Leaserver.exe C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe C:\Program Files (x86)\Network Security Analyzer\FWA\mysql\bin\eiqmysqld.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~2\Grisoft\AVG7\avgcc.exe c:\program files (x86)\snmpc network manager\startupcfg.exe c:\program files (x86)\snmpc network manager\crserv.exe c:\program files (x86)\snmpc network manager\discagt.exe c:\program files (x86)\snmpc network manager\hist32.exe c:\program files (x86)\snmpc network manager\bkserv.exe C:\NetProvision\tomcat\bin\tomcat.exe C:\WINDOWS\SysWOW64\ctfmon.exe C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~2\Grisoft\AVG7\avgcc.exe C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe c:\program files (x86)\snmpc network manager\startupcfg.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Virus removal\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 111.222.333.444:8080 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Startup System.lnk = C:\Program Files (x86)\SNMPc Network Manager\crcstart.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files (x86)\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files (x86)\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files (x86)\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files (x86)\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://172.18.0.199/SysCamInst.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CCS\Services\Tcpip\..\{47E19938-0A08-486A-ACBA-3DC8236CEA9F}: NameServer = 193.220.50.236,193.219.193.190 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SWIFTNetworks.engineering O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Network Security Analyzer Service (NetworkSecurityAnalyzer) - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAService.exe O23 - Service: Network Security Analyzer Syslog Service (NetworkSecurityAnalyzerSyslog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\SyslogService.exe O23 - Service: Network Security Analyzer Watchdog Service (NetworkSecurityAnalyzerWatchdog) - Unknown owner - C:\Program Files (x86)\FWASyslog\Syslog\WatchDogService.exe O23 - Service: NSAApache - Unknown owner - C:\Program Files (x86)\Network Security Analyzer\FWA\NSAApacheSvr.exe" -k runservice (file missing) O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing) O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing) O23 - Service: Tomcat - Alexandria Software Consulting - C:\NetProvision\tomcat\bin\tomcat.exe O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing) O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing) Thanks

08-10-2006, 12:05 PM	#19 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Sunbelt Kerio Personal Firewall Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. __________________

08-11-2006, 12:05 AM	#20 (permalink)
bassey Registered User Join Date: Jul 2006 Posts: 18 OS: windows 2003 server	Thank you soo much. You all are stars!!! I have installed AVG Antivirus and I'm in the process of downloading the zone lab firewall. I will be switching to firefox as well. Thanks again for all your help :-)